Laptop boot passwords vulnerable to attack
Pre-boot authentication mechanisms, designed to prevent a stolen or lost machine being booted, may allow an attacker to recover the password. An advisory by security provider iViZ Techno Solutions claims that current hard disk encryption tools and boot managers exhibit a vulnerability which allows attackers to retrieve users' passwords. The tools apparently fail to delete the plain text character strings stored in memory after a password has been processed. Mostly, products which use BIOS functions for pre-boot password authentication are affected.
If a program itself doesn't delete it, the password will remain at memory address 0x40:0x1e
until the computer is switched off. However, potential attackers need to have physical access to a computer to retrieve the password after the password has been entered and the computer been booted. This considerably limits the relevance of such an attack, as the attacker already has full access to the user's data, operating system and applications in this case. Attacks only become interesting if a trojan retrieves the password and the attacker subsequently steals the laptop. Attackers could also exploit a known password if the same password is used for other services or for encrypting emails.
Affected are Microsoft BitLocker, Lilo, Grub, DriveCrypt, TrueCrypt, DiskCryptor as well as BIOSes from IBM, Lenovo, and Hewlett Packard. Vendors informed by iViZ responded in different ways. According to the advisory, Microsoft resolved the problem with Service Pack 1 in Vista, while the developers of Lilo and Grub apparently didn't react at all. Various Linux distributors are said to have started developing their own solutions. IBM, DriveCrypt and DiskCryptor developers have not responded. Intel and Hewlett Packard, on the other hand, have acknowledged the problem and are said to be working on a solution. The authors of TrueCrypt are said to have denied the existence of the problem; however, this could be because iViz tested version 5.0 and not the current version 6.0a of TrueCrypt.
See also:
- Security Advisories, list of iViZ security advisories
- Bypassing pre-boot-authentication passwords by instrumenting the BIOS Keyboard buffer, PDF of white paper by iViZ
(trk)