Olle Segerdahl, F-Secure Pasi Saarinen, F-Secure A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems[1]. Today, most seem to believe that these attacks are too impractical for real world use. Microsoft has played down the threat of memory remanence attacks against BitLocker using words such as "they are not possible using published techniques"[2]. We will show techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available laptops and tablets. These techniques allow bypassing of security controls such as password protected BIOS configuration, UEFI-based Secure Boot and the TCG Platform Reset Attack Mitigation by directly manipulating the firmware storage device (EFI SPI flash chip). [1] https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf [2] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure

1. AN ICE-COLD BOOT TO
BREAK THE BITLOCKER
Olle Segerdahl & Pasi Saarinen

2. WHOWEARE
§ Olle Segerdahl
§ Principal Security Consultant
§ Background in verifying security of
cryptographic products
§ Pasi Saarinen
§ Technical Security Consultant
§ Worked with 5G security & formal
protocol verification methods

3. THEASSIGNMENT

4. ATTACKTREE
Out of scope
Too hard?
Soldered to device
DMA protections
Prio 2

5. ATTACK ON OS
OR
COLD BOOT

6. COLDBOOTATTACK
§RAM contains secrets when OS is booted
§Secrets remain some time after power is lost
§ Cooling RAM increases retention time
§Two possible approaches:
§ Remove memory module and read on other machine
§ Leave memory in place and boot dumping software

8. TIMOSWORK

10. MEMORY WIPED!

16. TCGPLATFORMRESET
ATTACKMITIGATION

17. TCGPLATFORMRESET
ATTACKMITIGATION

18. TCGPLATFORMRESET
ATTACKMITIGATION

19. WESHOULDTRYTHAT...

22. DEMO?

24. CAVEAT:
BOOTEDMACHINEREQUIRED
(Encryption keys have to be in memory to be stolen!)

27. BUT,BUT,BUT…
§ I have Secure Boot with TPM enabled!
§ You can’t boot from USB on my machine!
§ Surely my BIOS password will save me?
§ Ha! My laptop has tamper switches!

28. SECUREBOOT
§Only allows EFI programs signed by Microsoft to run
§Linux uses a ”Shim” bootloader signed by Microsoft
§Allows manual enrollment of whitelisted EFI programs

30. BOOTORDER
§Boot order is locked down in BIOS settings!
§Change boot order through changing EFI variable ”BootOrder”
§Re-enable disabled boot options by modifying EFI variables
§Replace allowed boot device (physical access, remember?)

31. BIOSPASSWORD
§BIOS or EFI Setup is password protected!
§Modifying firmware can clear or bypass password!
§Many PC vendors have a backdoor -
http://bios-pw.org/

33. TAMPERDETECTION
§Aha! My laptop has hardware tamper switches!
§Know the hardware you are working with,
google for teardowns and ebay listings!
§All switches we have seen are easily bypassable…

35. BIOSSECURITYSETTINGS?
Also depend on integrity of
firmware or firmware settings…
… which can be manipulated!

36. SUMMARY
§ Device encryption depends on integrity of firmware code and settings
§ Physical attacks on firmware can bypass existing security features
§ Existing mitigations not enough to protect against cold boot attacks

37. Today:
Sleep mode is vulnerable mode!

38. VENDORRESPONSE
Physical (open chassis) attacks are currently
listed as out of scope for the TCG specification.

39. RECOMMENDATIONS
For all organisations:
§Keep firmware up to date on all devices!
§Use existing mitigations (secure boot, firmware password, etc.)
§Make sure response procedures work, invalidate credentials, etc.
§Be wary of lost devices that are ”found” a while later…
§Conduct impact assessment of disk encryption breach scenario

40. RECOMMENDATIONS
If justified by the impact assessment:
§Pre-boot TPM+PIN and aggressive hibernation policy
§Evaluate effectiveness of firmware integrity protections
§Consider adding physical tamper resistance measures