CNET and others have been running stories lately regarding a new feature of a product called Passware Kit Forensic 11.3 which has the ability to now recover the encryption keys from Apple’s FileVault 2 Full Hard Drive Encryption software. While the articles themselves have done a balanced job of describing the risks, it frustrates me that novices reading the headlines may misunderstand the risks.
- FileVault 2 easily decrypted, warns Passware
- Mac FileVault 2’s full disk encryption can be broken in less than 40 minutes
- Apple FileVault 2 Encryption Cracked By Forensic Software
- Passware: Filevault can be brute force cracked during the span of a lunchbreak No security product is magic. Each tool is designed to protect your data under certain circumstances and given certain constraints. Full Hard Drive Encryption is a great tool, but you have to understand its limitations. It only protects your data when your computer is powered down. When you are using your computer, your data is accessible, as it obviously must be, since you are using it.
Full Hard Drive Encryption, when used properly, is extremely effective at protecting your data. Research has shown that it is becoming a challenge for law enforcement (Research team finds disk encryption foils law enforcement efforts) and that the only avenue to recover data is by compelling the owner to divulge their encryption key. This is becoming an area of law in the United States with regards to 5th Amendment Protections. (Prosecutors Demand Laptop Password in Violation of Fifth Amendment, Take the 5th? Not With Encrypted Hard Drives, Says Fed Judge, and Does the Fifth Amendment Protect Your Encryption Key? provide some information on the topic.) This will be an interesting intersection of technology and law in the coming years. You can see the beginnings of this showing up in the recent Supreme Court case United States v. Jones I talked about recently.
Back to Full Hard Drive Encryption. Memory attacks like those used by the Passware software are nothing new. Firewire is designed to allow direct memory access. I doubt the authors imagined it being used in this way, but the “Law of unintended consequences” certainly applies here. More information on this topic can be found in this very informative article: Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation.
The lesson to be learned here is that when using security software (or any security product) it is critical that you understand the security tool and what it can and most importantly can’t protect against.