29C3: successful attack on encrypting hard drives

Attackers can read data with little effort even with self-encrypting drives (SED). At the Chaos Computer Club's 29th hacker conference, 29C3, IT expert Tilo Müller demonstrated on Friday how hardware encryption for desktop computers and laptops can be attacked. Computer companies like to claim that integrated hard drive encryption prevents third parties from accessing private data or internal corporate information, especially after the loss or theft of a laptop.

Müller, who conducts research at the University of Erlangen in Germany, laid out various scenarios in which an encrypted hard drive in standby mode can be connected to an attacker's computer and allows its data to be read. The researcher calls these situations "warm replug attacks", since the disk's SATA connection is replugged while the disk is running and without cutting power. Since the hard drive is not locked in this case, encryption can be bypassed. Only three of the twelve tested computers recognised that the hard drive was unplugged while in standby mode, Müller said. This kind of attack, however, requires that the attacker have physical access to a system that is running or, at least, in standby mode.

Along with the warm replug attacks, the IT expert and two of his colleagues also tested hard drive security against well known attacks on hard drive encryption, such as cold boot attacks, DMA/FireWire attacks and "evil maid" attacks, which he says are even successful against SEDs in many practical scenarios. The researchers therefore feel that the security of encrypting hard drives is about the same as that of software-based systems like Truecrypt and Bitlocker. Only a few SEDs offered more protection, while some were even easier to attack.

(djwm)