Home-grown scanner mimics Princeton's "cold-boot" tool

Share this article:
A scanning tool similar to the one a Princeton University engineering team built last month to read encrypted data on a “cold boot” DRAM chip has been publicly released by McGrew Security, a research firm.

“The Princeton tool does essentially two things: It is a bootable USB that would copy the contents of memory and RAM of any system it was booted on, and [it] also has software to pull down
encryption keys out of memory,” Securosis analyst Rich Mogull told SCMagazineUS.com on Wednesday. “The tool Wesley McGrew released is a bootable USB. It only does the first part, not the second part.”

Princeton computer science professor Edward Felten and a group of graduate students made headlines last month when they successfully grabbed data from a DRAM chip that had been removed from a powered-down PC and then chilled. The team used its own custom-made encryption scanner to decode and read encrypted data contained on the chip.

McGrew decided to create his own RAM dumping program because he was intrigued by the Princeton tool and wanted to experiment with the concept, he told SCMagazineUS.com.

“I had experimented with recovering data from RAM before – about a year ago when it first came to my attention that RAM had this little-known property,” he said. “When I read the Princeton paper, I saw that they got around this by making their memory dumper a small SysLinux plug-in.  I thought this was a great idea, so I used the information from their paper and video to put together my own quick-and-dirty implementation.”

McGrew admitted that while he hasn't done any testing to recover keys for encryption software, he did not rule it out in the future. Nor does he think he has provided a new tool for cybercriminals.

“Serious attackers with the motivation to perform this kind of attack have the skill to develop this tool independently,” he said.  “In contrast, the legitimate uses for this tool far outweigh the negatives. Other security researchers can use it as a starting place for further research into the same techniques the Princeton researchers published, and other ways of analyzing memory dumps for vulnerabilities.”

However, Mogull expressed concern at how quickly the Princeton code was replicated and indicated that vigilance must be maintained within organizations to protect encrypted data on DRAM chips from possible attacks.

He has said in a blog post that the most effective way to deter the attack is to power down computers completely, not keep them in sleep mode.

“I don't see this as anything to panic about today,” Mogull said. “But I do see this as somebody basically rang a bell on this, and we need to pay much more attention.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.