Canned Air and FileVault

by Matt, matt@smalldog.com

The Internet is abuzz with a story about freezing RAM to “capture” its contents in order to obtain encryption keys. This technique is completely effective, and affects all computers and all operating systems—it’s an inherent limitation of RAM itself.

RAM, or random access memory, is considered “volatile” memory, because once removed from power, its data dissipates and the chip eventually becomes completely devoid of data. The data dissipates quite slowly with some memory, but very quickly in others. Non-volatile RAM is designed so that the data does not dissipate at all when removed from power.

It was discovered early this week that simply freezing volatile RAM chips using a can of compressed air turned upside down can dramatically slow, or temporarily completely stop, the dissipation of data from RAM chips. I’m not going to describe the process here, but you can find videos and articles of the process all over the internet.

The immediate implication for Mac users is that this reduces the efficacy of FileVault, Apple’s disk encryption system. Whenever data is encrypted, it is essentially locked, and can only be decrypted with a key. These encryption keys are generally long strings of letters and numbers, and are stored in RAM while the computer is powered on. When power is removed from the machine, the data dissipates slowly; when properly shut down or put to sleep, this data is erased. Freezing the RAM, removing it, and reinserting into another computer with special software, one can easily obtain the encryption key and access to encrypted files.

This is one advantage of the MacBook Air: its RAM is soldered to the main logic board and can’t be removed without damaging the memory itself.

by Matt, matt@smalldog.com