A couple of recent research projects from academia underscore the fact that attackers don’t always need sophisticated methods to circumvent sophisticated data security technology. Sometimes all it takes is some creativity and a few office supplies…

Last week, the New York Times reported that Princeton researchers found a way to get around disk encryption by exploiting a vulnerability of DRAM chips, which temporarily hold data for processing – including encryption keys. When a computer is powered off, the data on these chips is supposed to vanish. However, by simply cooling the chips researchers were able to “freeze” the data in place and access they keys used to encrypt the hard disk. According to the article, the technique is as simple as “chilling a computer memory chip with a blast of frigid air from a can of dust remover.”

“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”

This week, researchers from Cambridge released a paper on the vulnerability of PIN Entry Devices (PEDs) that can be exploited by placing a simple metal “tap” (such as a bent paperclip) to intercept unencrypted card and PIN details before it they reach the PED’s microprocessor.

According to one of the researchers involved in the project, Saar Drimer, “These PEDs failed to protect the communication path that carries the card data from the card to the PIN pad, and that carries the PIN from the PIN pad back to the card. A villain who taps this gets all the information he needs to make a fake card, and to use it.”

This entry was posted on Friday, February 29th, 2008 at 5:21 pm and is filed under General.