You can never rely on encryption

Like most people in Ireland I listened to the story of how the Irish Blood Transfusion Service (IBTS) had a laptop stolen in New York with the details of 171,000 blood donors on it, not least because, as a blood donor, there is a good chance some of my data is involved.

The IBTS has said that

The records were on a CD that was encrypted with a 256 bit encryption key. These records were transferred to a laptop and re-encrypted with an AES 256 bit encryption key. This represents one of the highest levels of security available and to our knowledge there is no record of a successful attack against this level of encryption.

Unfortunately, people who were relying on Apple’s FileVault, or Window’s Bitlocker encryption software to keep their data secure, were probably equally satisfied with that AES encryption until yesterday when a group from Princeton demonstrated how that encryption could be broken with a bit of liquid nitrogen!

The IBTS justified the fact that people’s personal information was in New York because the IBTS are updating their software and wanted to bring live data with them with which to test the new software. Why it didn’t occur to them to obfuscate the information which could identify people I really can’t understand. You can never rely on encryption alone.

12 thoughts on “You can never rely on encryption”

  1. You’re being totally alarmist here. The reported vulnerability really has nothing to do with the loss of donor data in this case.

    Look at the details of the attack – the window in which it has to occur is tiny. Somehow I doubt the thief chilled the DRAM and extracted the data within a few minutes.

    Now you might have reason to be concerned if the laptop was switched on, unlocked and the crypto keys had been entered when it was taken. Some casual snooping could lead to the data.

  2. Very true. I don’t understand why simple common sense measures are not taken. I get the same feeling as when a character in a movie is obviously setting themselves up for disaster. They would never to that in real life… Hmm., then again maybe they would 😦

  3. What concert me is that a group from Princeton University call it “simple method” to steal encrypted information stored on computer hard disks.
    I do not think that it is simple method to cool the chips in liquid nitrogen (-196 °C) and then put the chips back into a machine to read out their contents. But… it is good to know that increased the security of modern personal computers, does not appear to stop the potential attacks and that computer security experts are now on the move to make things better and more secure.

  4. Ip Address – It was simple. They didn’t need a lab or any fancy equipment. The cooling was done using a simply canister you can buy at any electronics or many other stores (they used the same spray canisters you use to blow dust out of your computer or keyboard). They lowered the temp to -50 degrees centigrade, not -192.

    Once cooled, they could then remove the memory chip and simply drop it into another system. Nothing complex here. After that they could use any of a number of freely available utilities to do a memory dump and then look for an area of high entropy – basically a memory segment that looked like a series of random numbers. Not very difficult considering that you could easily eliminate all the areas that the computer instructions (program) use because instructions aren’t random. Program data is also usually not random (unless generated for games (to vary game play) or for some other program related purpose). Data is otherwise very structured.

    Anyone skilled enough to understand assembly and hardware savvy enough to take a machine apart enough to access the ram would be able to pull this off. Which boils down to almost any computer science grad or half-baked hacker.

    However, since this is a recent exploit, it’s likely that the blood donor data was safe from attack. Ultimately, this wasn’t an attack on any of the encryption algorithms but is a “side-channel” attack. You can’t break the encryption, so you just go around it. Kind of like recording a blue-ray dvd to an analog device. But in this case, you don’t really get any signal degredation.

  5. I’m very very angry. I received a letter from the IBTS today telling me that my information was on that laptop.

    I did not give permission to IBTS to use my personal details in any way.

    I am also concerned that although the details are supposedly encrypted there is clearly such lax protection of this data that the passwords are probably stored in email on the damn laptop.

  6. the AES-type 256 bit encryption is a red herring; if Mitnick were confronted with this he’d look for the post-it with the password – probably in the laptop case.

  7. I’ve written a letter to the Chief Executive of the IBTS with a number of questions. One of the questions asks specifically if the password was stored anywhere else.

  8. If the file was encrypted on the laptop then it was unencrypted at some stage. That would imply there would be info left over in the swapfile or somewhere else that may not be encrypted.

    Alternatively, maybe they are saying that file is not specifically encrypted but the laptop hard disk is protected with 256 AES.

    In either scenario, the encryption is as weak as the password. The letter says that “the code on this laptop is thirty five characters”. Is that potentially or in reality? If the actual password is 5 or 6 characters then it can be easily brute-force cracked. If it is longer it may be vulnerable to a dictionary attack. If it is a random 35 alphanumeric characters then it is presumably written down somewhere.

    Unless the user has a very good memory for random alphas the only hope would be an obfuscated passphrase like “Shou1dnt 68 5hare-tHis_*&$ing_data!”

  9. Very true. I don’t understand why simple common sense measures are not taken. I get the same feeling as when a character in a movie is obviously setting themselves up for disaster. They would never to that in real life… Hmm., then again maybe they

  10. Laptop theft related data breach is happening at an alarming rate.
    News like this should make any organization nervous if they don’t have any sort of end point data protection in place.

Comments are closed.