Tool to fool TrueCrypt published
Security expert Joanna Rutkowska has developed a tool that attackers can use to get access to hard drives encrypted with TrueCrypt. The trick Rutkowska implemented is as easy as can be and the principle has been known for some time. She wrote a keyboard logger that sniffs the password entered for decryption. To make the process especially user-friendly, she came up with an image that can be loaded on a USB stick. When the stick is inserted into an encrypted laptop and the laptop is booted from the stick, it infects the hard drive's boot loader and latches onto the password query mechanism.
The next time the notebook is booted, the sniffer grabs the password and saves it. At some later point, the attacker has to then get renewed access to the laptop and boot it from the USB stick. The stick code detects that the system is already infected and extracts the sniffed password. The thief can boot the laptop normally or simply copy and decrypt the hard drive using the OS loaded from the USB stick.
Rutkowska hasn't exactly found a new vulnerability in the TrueCrypt open source software. After all, the attack scenario is well known and documented. Indeed, this approach can also be used against other types of hard drive encryption, such as the commercial PGP Whole Disk Encryption. Rather, the security expert has cleverly managed to open an old wound: the security of such systems can only be ensured if the entity that protects against manipulation checks the integrity of all components during booting, as for example a system using a Trusted Platform Module (TPM) for authentication should.
Such attacks can at least be made more difficult if the BIOS has password protection and only allows the machine to be booted from the installed hard drive. But even then, attackers could still manipulate the hard drive by removing it, connecting it to another computer for infection, and then reinstalling it.
- Evil Maid goes after TrueCrypt!, Blog entry from Joanna Rutowska