Systems Affected
Operating systems: Windows XP, Vista. Mac OS X, Linux, others likely.
Computer models: Many laptops & desktops appear to be vulnerable by design.
Encryption: BitLocker, TrueCrypt, File Vault  & PGP are likely vulnerable. Ongoing research continues by Princeton University.

Overview
Recent research discovered that Random Access Memory (RAM) does not quickly reset during power off and can remain for long periods at low temperatures. Laptop power saving modes such as sleep, or a “deeper sleep” mode known as hibernate can also preserve contents of RAM for extended periods. These contents can include but not limited to passwords, sensitive information or encryption keys. Physical access to the system can reveal this information to an attacker, even in a very short amount of time. Methods to keep RAM at low temperature for longer periods of time are inexpensive and software to gather memory contents are easy to use.

Description
Research by security experts at Princeton discovered that the contents of Random Access Memory (RAM) do not necessarily erase quickly when the power is turned off and during power saving modes such as sleep or hibernate they may contain passwords, sensitive information or possibly encryption keys.

It is important to note that this appears a hardware design oversight and can potentially affect multiple computers, operating systems and related information technology equipment including desktop systems. The research found that contents of memory can stay resident in RAM for long periods of time and even be removed and placed into another computer to capture contents. Research will continue and this advisory will be updated as necessary.

Impact
Loss of sensitive information and circumvention of protections technologies such as encryption and passwords. Attacks can occur quickly and may be undetected by laptop user.

Solutions
Consider powering down laptop when not in use & maintain physical security at all times with laptops.
PGP – Encryption keys for Whole Disk Encryption (WDE) can be intercepted in sleep mode although hibernation mode removes the keys from RAM (according to PGP Corp.) In addition, PGP recommends that users unmount PGP virtual disks before sleep or hibernation mode. This prevents unauthorized access of sensitive information contained in the virtual disks, even if laptop is accessed in these modes. For more information, go to:

PGP response to Cold Boot Attack

Other recommendations
PGP and other users of encryption users should disable the “caching of encryption keys” which loads the encryption password into memory.

Power down laptop when leaving office or before presenting laptop when crossing country borders.

Additional Information
Center for Information Technology Policy – Princeton University – Research website with more info, video & initial report. Lots of information here.

Disk encryption may not be secure enough, research finds – CNet.com 2/21/08

DISCLAIMER: Information Security Advisories and related resources provide technical and administrative advice to protect sensitive information on the University network and to help BGSU comply with regulations pertaining to information security.  Failure to comply with these advisories may directly or indirectly increase the risk of exposure or compromise of sensitive University information.  These advisories and resources do not provide legal advice – contact the BGSU Office of General Counsel or other appropriate legal advisor for interpretations of regulations.