updated 10:10 am EST, Fri February 22, 2008
FileVault RAM hack
Apple's FileVault is among the encryption technologies that may expose its secrets in RAM, suggests a paper produced at Princeton University. Through several experiments, computer scientists with Princeton discovered that many computers leave encryption data in RAM during two vulnerable states: powering down, and rebooting. While accessing data after power-down requires super-cooling the RAM and transferring it to another machine for examination, the reboot phase may be more easily exploitable.
During this phase, Princeton researchers were able to use small kernel files to help salvage memory and dump it to permanent storage, in some cases using USB drives, or a netboot infrastructure. From there it was possible to extract temporary decryption information, compensating for errors by relying on some of the common behaviors of encryption software.
Aside from FileVault, other encryption formats that were cracked included TrueCrypt, dm-crypt, and Windows Vista's BitLocker. Researchers managed to crack and mount a BitLocker volume in 25 minutes; FileVault did not fare much better however, as it was not only broken but revealed multiple copies of the login password.
At present, no easy fix for the vulnerability is available. It is suggested in fact that computers will need either new hardware or a radically different encryption scheme, and even with these it could merely make an attack more difficult.