Threat Watch | Cold Boot: Should New Attack on Encrypted Disks Change the Way Lawmakers Approach Disclosure Legislation ‘Safe Harbors’?

Last winter, researchers at Princeton University demonstrated how they could get data off encrypted disks by extracting the encryption key from RAM, even if the machine was password protected, in sleep mode or had just been powered down. Called the “cold boot” attack–in part for its use of sprayed canned air to slow down data decay–it has had security professionals breaking out in a cold sweat, and encryption vendors scrambling to create countermeasures. (To learn more about the attack, see CSOonline.com’s coverage, or read the original research from Princeton and McGrew Security Services and Research.)

But what about lawmakers? Of the 40 or so states that have passed legislation requiring organizations to notify citizens whose personal information has been compromised, most have established a “safe harbor” for encrypted information. Most of the competing breach notification bills under consideration at the federal level also have included a safe harbor for encrypted data. The theory is that if lost or stolen personally identifiable information had been encrypted, it hadn’t really been compromised, because it couldn’t be accessed. (To learn more, see CSOonline’s comprehensive series about laws and practices regarding data breaches.)

Of course, security experts have known all along that encryption isn’t fool-proof. But with all the new attention being paid to encryption vulnerabilities, will lawmakers change their tune about the safe harbor for encryption? It doesn’t appear likely.

“I haven’t heard anyone who is directly involved in the legislation raise that issue,” says David Sohn, senior policy counsel at the Center for Democracy and Technology, a public interest group focused on technology and civil liberties. Nor do any state legislatures seem to be interested in modifying their safe harbor provisions.

This disinterest is apparently the result of two things: the difficulty of getting such bills passed in the first place, and the unlikelihood of a real-world threat from a “cold boot” or similar attack.

The states that have passed data-breach notification laws have generally simply adapted the first data-breach disclosure law, passed in California, without a lot of differentiation. “I think enough of the state laws have followed similar patterns that at the moment, I don’t sense that companies that have to live with the laws are finding compliance with the various state laws to be impractical,” Sohn says.

The other consideration is simply that, as far as we know, no one has been hit yet with a “cold boot” attack. While the vulnerability is well demonstrated and a proof-of-concept utility from McGrew Security is widely available, the exploit still requires technical knowledge and the will to perform a rather involved procedure to get at the contents of the hard disk.

“Basically, the fact that it’s technically doable doesn’t mean it’s likely to happen,” says Tom Ruffolo, president of eSecurityToGo LLC, an Irvine, Calif., security and compliance consultancy. “The question is, what is the likelihood that a particular computer will be attacked with this [exploit]?”

According to Sohn and security researcher Wesley McGrew of McGrew Security, however, the “cold boot” attack does point out a weakness in the current laws and in the thinking of many companies: The data breach laws don’t specify what is needed to qualify as “encryption.” Theoretically, a company could encrypt its data with ROT13 and not have to notify consumers in the event of a breach. (ROT13 is a simple 13-character shift cipher sometimes used to hide the punch line of jokes in newsgroup messages. It’s about as secure as a paper mache padlock.) A better approach, they say, would be to specify some level of security needed to trigger the safe-harbor provision.

“You might want to include at least some kind of standard in there saying the data protection has to be strong enough to provide significant protection,” Sohn says. “You wouldn’t have to get real specific [in the bill.]”

Says McGrew: “I believe that, at the least, regulations should require a set of ‘secure practices’ to go along with encryption requirements, to ensure that the encryption technologies are being used in the safest possible way.”

Regardless of the compliance implications, McGrew says organizations should be sure to understand the level of protection that their disk-encryption products provide. “In the short-term, I think it’s important for enterprises and users to ask questions about the encryption products they’re using,” he says. “Does this product erase the key from memory when I suspend or hibernate my laptop? The answer should be ‘yes.’ Questions should also be asked about the way the laptops are used: Do I leave my laptop unattended while encrypted file systems are open? The answer should be ‘no.'”

Rick Cook is a freelance writer based in Phoenix.