Simon Says – Musings of a Technology CTO

Many people have contacted my team and I over the last few days about the recent announcement by ElcomSoft, that they offer a tool to decrypt Bitlocker, PGP and Truecrypt volumes.

This $299 tool is advertised as getting you access to this encrypted data quickly and easily…

Now, this may sound exciting, but as they say, there’s always a catch – you need a memory dump from the machine from when it was authenticated to use this tool – yes, no recovery if you find a cold machine. You have to get access to it while it’s on and the user has logged in, then, after they switch it off, you can recover the data..

Sounds familiar? Well it should, it’s exactly the same idea Passware.com released to the world back in 2010 – I even blogged about it then…

The difference is, Passware (currently) charge you just shy of $750 for their Enterprise Passware Kit.

So, exactly the same idea, just cheaper. Wow.

Let’s revisit the attack one more time just so you can be sure to explain to your worried CISO why this is as much of a non-event as it was 32 months ago.

1. The machine needs to be on, and authenticated for the attack to work
2. If the machine is off, and needs authentication to boot, the attack does not work

Point 2 is of course the important one. If you are using encryption software which does not require user authentication, say Bitlocker without a Password, TPM only mode for example, or you implemented something like EEPC with pre-boot authentication disabled, you already should know that you left the encryption key in the front door and your machines are totally insecure.

If you’re using “volume” encryption, the attack only works if you leave the machine unattended with the volume mounted.

Most McAfee customers are using full disk encryption with pre-boot authentication on, so if you just shut your machine down or hibernate it before leaving it unattended and you’ll be fine.

No one can recover keys from memory on a machine which is off…