MINNEAPOLIS, March 10, 2008 — LuciData Inc., a leading provider of internal threat management, e-discovery and computer forensic investigative services and solutions, today announced that it has determined that companies with full disk encryption installed without pre-boot authentication can open the encrypted machine to Windows based vulnerabilities.
While encryption can be a secure solution for data at rest when properly deployed, the default configuration for many companies use leaves them vulnerable to a very simple attack that effectively gives complete administrative control of the machine to anyone with physical access.
This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.
LuciData first tested this theory with a Pointsec encrypted drive. This attack is made possible because the operating system on the computer loads and boots directly into Windows without first asking for a Pointsec ‘pre-boot authentication’ password. Normally, with whole disk encryption, a user is required to enter a password immediately upon turning the machine on. That password is what unlocks the decryption key and allows the rest of the operating system to load and execute. This FireWire attack would not be successful in that case, because the attack requires that Windows already be up and running. In the circumstance of a properly configured encrypted computer, a stolen system that is powered off would be well protected from unauthorized access and this type of attack.
While the long term implications of this attack have not yet been fully investigated, the most immediate recommendation is for companies using any full disk encryption to redeploy its whole disk encryption solution so that pre-boot authentication is enabled. This would mitigate the ability to compromise computers via FireWire from a cold boot because the operating system would not load without a correct pre-boot password being entered.
Summary and Recommendation
Pointsec is only mentioned since that is what LuciData’s tested this theory with; however all full disk encryption products set up to bypass pre-boot authentication could be vulnerable. It is important to note that once booted into Windows, even a computer with pre-boot authentication enabled will be vulnerable to this FireWire attack.
LuciData recommends physically disabling or removing FireWire ports with a device control solution in order to completely remove the risk of this type of attack.
For questions, please contact LuciData, Inc. at: info@lucidatainc.comor (866)-LUCIDATA.
About LuciData, Inc.
LuciData is a trusted Internal Threat Management, Computer Forensic and eDiscovery company servicing SMB and Enterprise clients, across all verticals. With 40 years combined experience in data forensics and internal threat management, LuciData clearly understands the intricacies involved in recommending and preparing the best solution set for each client’s particular needs. From incident prevention techniques to reactive forensic investigations and litigation preparation, LuciData’s ethical professionals are here to ensure that corporate intellectual property, brand and reputation remain intact. LuciData is available on the World Wide Web at www.lucidatainc.com.