Threat Watch | Cold Boot: Should New Attack on Encrypted Disks Change the Way Lawmakers Approach Disclosure Legislation 'Safe Harbors'?
Recent research from Princeton, McGraw Security Services illustrates how the lack of encryption specifications in legislation could put consumer data at risk.
By Rick Cook
April 04, 2008 — CSO —
Last winter, researchers at Princeton University demonstrated how they could get data off encrypted disks by extracting the encryption key from RAM, even if the machine was password protected, in sleep mode or had just been powered down. Called the "cold boot" attack--in part for its use of sprayed canned air to slow down data decay--it has had security professionals breaking out in a cold sweat, and encryption vendors scrambling to create countermeasures. (To learn more about the attack, see CSOonline.com's coverage, or read the original research from Princeton and McGrew Security Services and Research.)
But what about lawmakers? Of the 40 or so states that have passed legislation requiring organizations to notify citizens whose personal information has been compromised, most have established a "safe harbor" for encrypted information. Most of the competing breach notification bills under consideration at the federal level also have included a safe harbor for encrypted data. The theory is that if lost or stolen personally identifiable information had been encrypted, it hadn't really been compromised, because it couldn't be accessed. (To learn more, see CSOonline's comprehensive series about laws and practices regarding data breaches.)
Of course, security experts have known all along that encryption isn't fool-proof. But with all the new attention being paid to encryption vulnerabilities, will lawmakers change their tune about the safe harbor for encryption? It doesn't appear likely.
"I haven't heard anyone who is directly involved in the legislation raise that issue," says David Sohn, senior policy counsel at the Center for Democracy and Technology, a public interest group focused on technology and civil liberties. Nor do any state legislatures seem to be interested in modifying their safe harbor provisions.
This disinterest is apparently the result of two things: the difficulty of getting such bills passed in the first place, and the unlikelihood of a real-world threat from a "cold boot" or similar attack.
The states that have passed data-breach notification laws have generally simply adapted the first data-breach disclosure law, passed in California, without a lot of differentiation. "I think enough of the state laws have followed similar patterns that at the moment, I don't sense that companies that have to live with the laws are finding compliance with the various state laws to be impractical," Sohn says.
The other consideration is simply that, as far as we know, no one has been hit yet with a "cold boot" attack. While the vulnerability is well demonstrated and a proof-of-concept utility from McGrew Security is widely available, the exploit still requires technical knowledge and the will to perform a rather involved procedure to get at the contents of the hard disk.