Cracking PGP, TrueCrypt, and other strong encryption packages just got more affordable, with the release of a $300 package that can pluck decryption keys out of computer memory in certain cases.

Thursday's release of the Elcomsoft Forensic Disk Decryptor poses the biggest threat to people who leave their pre-OS X 10.7.2 Mac laptops or FireWire-equipped PCs in hibernate or sleep states while encrypted drives are mounted. It has long been possible to use the FireWire or Mac Thunderbolt interfaces to retrieve the contents of volatile memory on machines that are password-protected but not powered down. But until now, it has cost closer to $1,000 for an easy and reliable way to use that data against people using strong full-disk encryption programs.

The new product from Moscow-based ElcomSoft changes that. Like Passware, which Ars first chronicled in 2009, it's able to comb through memory dumps and locate the cryptographic keys stored inside. But at a third of the price, Forensic Disk Decryptor could bring that capability to a much larger customer base.

Not quite perfect

Current versions of Passware and Full Disk Decryptor are marketed as being able to extract keys used by PGP, TrueCrypt, Apple's FileVault, and Microsoft's BitLocker. These encryption programs are widely regarded as providing near-perfect implementations of strong cryptography, making them reliable ways for executives and other high-value targets to encrypt single files, drive partitions, or entire disks. But there's a catch: The programs are only able to read or write to encrypted areas by storing a cryptographic key in computer memory. That opens the door to attackers who can access the memory and then ferret out the key. (The ElcomSoft product only isolates the key. Software and hardware for acquiring the memory dump must be acquired separately.)

Forensic Disk Decryptor works best against machines that have a FireWire port, but there are other ways an attacker might also access keys stored in memory. The most obvious alternative is the Thunderbolt interface included on newer Macs. Like FireWire, it also appears to grant users direct memory access, although blog posts here and here report this behavior was quietly fixed in OS X version 10.7.2 (thanks to Ars reader spookware for the links).

On Macs that predate that version, that would make it possible for attackers to carry out the same types of attacks. Another possibility is obtaining a file that gets written to disk just prior to a computer being put into hibernation. If the encrypted disk is mounted during that process, the key is likely to be contained inside the file. A third possible avenue is retrieving a key stored in unencrypted virtual machine memory that gets written to a hard drive.

Security experts have known of these types of attacks since at least 2008, when a team of scientists demonstrated a "cold boot" attack that directed a canned air dispenser on a targeted computer after it had been switched off. (Some say such attacks are much older.) By super cooling the machine's memory chips, the researchers were able to preserve the RAM contents long enough to extract keys used by BitLocker, FileVault, and TrueCrypt.

Marketers at ElcomSoft have gone to great lengths to portray Disk Decryptor as something novel. That's an exaggeration that loses the larger point. While these attacks have been possible for years, they're becoming easier and more inexpensive to carry out. It wouldn't be surprising to see similarly reliable open-source software released in the next few years, assuming it isn't already available.

What this means is that if you rely on strong encryption to protect the contents of a hard drive, you shouldn't leave your computer in sleep or hibernation mode and assume your secrets are safe. In a matter of minutes, an attacker who finds it unattended may be able to dump the memory and retrieve the key, even if the machine is password protected. This capability has existed for years, but it's quickly becoming a script kiddie exercise. People who truly value their privacy and have no use for the FireWire or Thunderbolt ports on their machines may want to consider destroying them, as one savvy computer user has suggested.

Readers should also understand that Forensic Disk Decryptor and similar programs aren't exploiting any vulnerabilities in PGP or the other strong crypto apps being attacked. In-memory key storage is a requirement for the affected programs to work. Still, release of the $300 program means it's easier than ever for someone with access to your PC to rifle through contents you long assumed were off-limits. Remember that the next time you plan to leave it unattended, even for just a few minutes.

Update, December 21, 2012 3:30 California time:

David Finkelstein, Symantec's director of encryption development wrote in an e-mail:

Regardless of what any press release may say, your article incorrectly states that PGP encrypted systems placed into hibernation can be easily cracked with forensic tools. When a system running PGP Whole Disk Encryption enters hibernation, the hibernation file is stored encrypted on the disk. Any user must re-enter their password (or insert their hardware token and provide the associated PIN) before the system will resume from hibernation. An attacker cannot gain access to the disk key from a hibernated system that is employing PGP Whole Disk Encryption.

He went on to write: "And of course, my comments only apply to systems that have the entire disk encrypted. If you only encrypt a partition (or two), it is possible that the hibernation file (or hibernation partition) is not encrypted."

Post updated to add details about OS X 10.7.2. Headline updated to remove PGP.

Listing image by Jan Kaláb.