Silk Road forums
Discussion => Security => Topic started by: midas on March 16, 2012, 02:13 pm
-
Source:http://www.eweek.com/c/a/Security/MacBook-Air-Resistant-to-ColdBoot-Encryption-Attack/ [2008]
One of the most hated things on Apple's new MacBook Air laptops—the fact that it's impossible to upgrade the laptop's RAM—could accidentally turn out to be quite a useful security feature.
In fact, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child), the sleek new MacBook Air is one firmware upgrade away from being the only mainstream laptop that is resistant to the cold-boot encryption attack discussed recently by researchers at Princeton University and the EFF (Electronic Frontier Foundation).
The research report, released Feb. 21, calls attention to a design limitation in several widely used disk encryption technologies that could allow practical attacks against laptops in "sleep" or "hibernation" mode. It affects Microsoft's BitLocker (Windows Vista), Apple's FileVault (Mac OS X) and TrueCrypt and dm-crypt (Linux).
The research team found that in most computers, RAM contents will persist from several seconds to a minute even at room temperature and that cheap refrigerants like canned air spray dusters can be used to produce temperatures cold enough to make RAM contents last for a long time even when the memory chips are physically removed from the computer.
The researchers used homemade tools and programs to collect the contents of memory after the computers were rebooted, rendering the disk encryption technologies useless, especially when a laptop is turned on but locked, or in a "sleep" or "hibernation" mode when the cover is shut.
However, as OLPC's Krstic points out, the fact that Apple soldered the MacBook Air's 2GB of DDR2 SDRAM directly onto the motherboard means that the machine is highly resistant to the attack scenario of removing the chips from the computer.
"It means that if Apple released an EFI firmware update for the Air which zeroized the RAM contents at the beginning of every boot, the Air would become one of the only—if not the only—mainstream laptop featuring full-disk encryption that's highly-resistant to the troublesome Princeton attack," Krstic said.
Source:http://www.thefullwiki.org/MacBook_Air#Security
Due to its lack of an optical drive and user replaceable RAM, the MacBook Air provides moderate protection against a cold boot attack when coupled with software-based disk encryption technologies, and a firmware password.
On the other hand, devices that have sealed cases, memory that is soldered to the board, or other difficulties to getting there have a mitigation, in that it’s much harder to attack them. This includes encrypting disk drives, but it also includes the new MacBook Air, which is now arguably the most secure laptop there is.
-
Most secure laptop my ass. What about software layer attacks? Your machine can't be secure if the OS it runs gives you virtually no control over the underlying components that make up the OS and other application layers.
Systems like this provide some protection against thieves and other low-level threats, but there are plenty of zero day flaws in iOS, OS X etc. that the feds or sophisticated "cyber criminals" can use to steal your FDE password (among other things) and there's very little you can do to mitigate them. Mac security software is crap, and does not provide proper low-level HIPS functionality to screen out unknown threats. What about hardware keyloggers?
Even if they did solder the RAM into the motherboard, it's still possible to remove it without too much difficulty if you know what you're doing. Just freeze the whole thing and carefully remove either the whole stick or the individual memory chips. If the computer can read the RAM, there's a way to get into it. There may even be a way to tap into it through the mobo itself, or through vulnerabilities in physical ports. Anyone remember the firewire exploit that allows LE to gain complete access to your Windows PC as long as it's running?