Got an hour to spare? Computer forensics firm Passware claimed recently that its latest software toolkit cracks Apple’s FileVault full-disk encryption (FDE) platform in less than sixty minutes. The company further reported its toolkit could unlock volumes encrypted by TrueCrypt and BitLocker.
Passware just made it simpler to capture the contents of a computer equipped with a FireWire port (or any port for which a FireWire adapter is available). Once captured, the toolkit analyses the memory dump and extracts the encryption keys – thereby providing full access to all contents on the hard drive. Passware markets its new toolkit to legitimate users in government, law enforcement and military organisations. But anyone willing to shell out $995 can purchase an edition.
The toolkit performs a FireWire attack, which is not a particularly new threat to computers equipped with a FireWire interface. The interface was specifically designed to grant Direct Memory Access for high speed video transfers. It didn’t take long for hackers to recognise FireWire ports had no authentication or OS control once a device is connected, which meant the ports made internal memory susceptible to external attacks.
Passware’s toolkit attack on encryption keys can achieve the same result as a “Cold Boot” attack, without the need to dismantle the computer or chill the memory. The attack delivers in minutes what would take a brute force attack on the AES256 encryption algorithm thousands of years to achieve.
This vulnerability, by design, in the FireWire protocol cannot be “fixed” by the stack provider. But the threat can be eliminated by other means. First, any well-implemented SED management product neither needs nor allows the keys to leave the encrypted drive at all. So even if a hacker attacks through FireWire or a Cold Boot attack, the keys remain inaccessible.
Second, a kernel-level port control product can block the FireWire port entirely against all devices, even those connected prior to machine boot. It can also restrict the port to allow only specifically authorised devices to connect, and thus retain a high data security level while maintaining user productivity.
Third, exposure to FireWire attacks can be reduced by software encryption products that erase temporarily available keys from the memory whenever a user logs out or hibernates the machine.
The fact that Passware’s software is designed to provide legal access for forensics teams does not mean it can’t be put to illegal use by a criminal. Heeding Passware’s warning to consumers and protecting your FireWire-enabled machine against such illegal attacks is only sensible.