PGP Blogs

It’s been really interesting watching the variety of reactions to the announcement two weeks ago that a Princeton based team had found a way to extract data (including encryption keys) from laptops even when they are supposedly “off”.

A few things really strike me about the Cold Boot Attack announcement:

First, this was an exceptionally good piece of research by the Princeton team. We’ve known for some time that approaches like this could work in theory, but prove it can work in practice and so predictably is quite an accomplishment.

Second, I think the overall computer security community has handled the announcement calmly and professionally. With few exceptions no one in the customer or research community has claimed the sky is about to fall and conversely very few vendors have tried to claim immunity to the threat.

What is bothersome is that some security vendors have been silent on the topic which serves no one’s interests. Problems like these are only solved through extensive public discussion. It is a well-known tenet of data security that there is no such thing as good security based on obfuscation. Only by illuminating these issues in the light of day and examining all of the potential solutions are world class security solutions developed.

In accordance with this philosophy, PGP Corporation publicly disclosed that some of our products might be vulnerable to this type of attack and recommended workarounds to mitigate the attack as described by the Princeton team. While most other affected vendors have taken a similar tack, I’m surprised to see that several who should know better are not being completely candid with their customers about the potential vulnerabilities they face.

PGP Corporation is committed to empowering customers to protect their information from this and all other types of breaches. To that end we have begun working with some of the hardware vendors to leverage PGP® developed technology that is showing promise in defeating a Cold Boot Attack approach. While it will take some time to validate the effectiveness of this mitigation strategy, we believe our technique has the potential to secure keys in DRAM even when a laptop is powered on.

Finally, I think one of the most intriguing parts of the Cold Boot Attack story is the blended nature of the attack. This is fundamentally an attack on hardware that has the effect of compromising many types of security software. While it was a group of smart researchers that developed this attack, you just know it’s caused wheels to turn in criminal minds globally. This certainly won’t be the last of this class of attacks we’ll see this year and I predict at least some of the copy-cat attacks will drive indictments, not press releases.

- Phil