Edward Felten, a Professor of Computer Science and Public Affairs at the Woodrow Wilson School, conducts research in computer security, privacy, and technology policy. His research also focuses on technical issues related to anti-copying technology, intellectual property policy, and the impacts of technology regulation in general.

In the midst of the longest presidential campaign in American history – and amidst ongoing concerns about the efficacy and security of electronic voting at polls around the country, Felten spoke with the School’s Office of External Affairs about his latest research.

(On a related note, in March Prof. Felten publicly weighed in on discrepancies found in certain e-voting machines used in the New Jersey presidential primaries.)

Woodrow Wilson School (WWS): You and your colleagues recently released a paper in which you reveal that you’ve developed a method to steal encrypted information stored on computer hard disks. What does this mean for computer users?

Edward Felten (EF):  Encryption is a way of scrambling information so that it can’t be understood by someone who comes across it.  Imagine a laptop computer and the person has sensitive files on the laptop.  Maybe it’s sensitive government or corporate information.  Maybe it’s private information about customers or citizens and you want to make sure if the laptop falls into the wrong hands, if you lose it, that a bad guy who gets the computer cannot access the files.  So you’ll encrypt – the theory is that you would need to have a secret key or password to have access to the files. 

WWS:  Could you explain the technique you used to access the encrypted information?

EF:  What we discovered was in cases like this where there is a laptop computer that has these encrypted files on it, the secret decryption key was usually sitting in the RAM memory, which is the main memory that the computer uses while it’s turned on. 

And the conventional wisdom was that when you turn the computer off, the information that’s in the RAM memory would go away,nd thereforethe encryption keys would be gone.  But what we found is that if you cut the power to the computer, the information that is in the RAM memory actually is available for awhile, for seconds or minutes.  And that allows someone who has the computer in their hands to actually get these encryption keys.  They can cut the power to the computer and then restore the power and then just read the secret key out of the memory. 

So, we found, first of all, that the information sticks around in this RAM memory much longer than people thought.   I would have said before we did this study that information might last for a tiny fraction of a second.  But in fact it lasts, as I said, for seconds or minutes. 

The other thing that we found is that if you chill the memory –literally make it cold - that the information stays available for much longer. The first level of cooling that we tried was spraying cooling spray on the chips.  There are products, cans of compressed air you can use to clean the dust out of your computer keyboard. If you turn the can upside down and spray it, what comes out is super-cold refrigerant.  It’s about minus 50 degrees. If you spray that stuff on memory chips, the chips remember their contents for 10 minutes or more, even without power.

So, whereas you might have had ten seconds at room temperature before the data was gone, you might have ten minutes or longer when it’s chilled.  You can actually pull the chips out of the computer and set them on the table for ten minutes and they get all frosty but the information is still accessible.  If you then take those chips and dump them in liquid nitrogen - which is much colder, something like minus 350 degrees – then the information lasts for hours.  We don’t know how long, actually, because we ran out of liquid nitrogen!

And so we looked at all the [software] products we could find that do this kind of encryption - that protects this kind of information on laptops - and all of them were defeated by this method we discovered.

WWS:  So, some of the more popular encryption software packages are BitLocker, FileVault, dm-crypt, and TrueCrypt.  Did your research find that any of these were more or less vulnerable?

EF:  Not really. They are all about equally vulnerable. Most of the products work in a single way. They all use very strong, military grade encryption.  It’s not a question of how good the encryption is from a mathematical sense; how well it resists descrambling.  If you think of it like a lock on a door, you could have the best kind of lock, but if someone could get the key they could just open it.  And what our method does is get the key. 

All these systems use, as far as we could tell, really strong encryption, but the problem is they have no place safe to put the key. 

WWS: Do governmental agencies, such as the CIA, the FBI or Homeland Security (which helped fund your research) to your knowledge use any of these?

EF:  We don’t know. We know that this sort of encryption package is used widely within government in cases where they want to protect information.  What we don’t know is what the classified, super-secure systems use.  That information is not easily available to us and to the extent that we could get it we can’t tell you. 

WWS:  Have you received any feedback from encryption software manufacturers, computer manufacturers, or government agencies?

EF:  Yes. We talked to encryption software vendors before we released the paper about what we had found, and told them that we would give them access to the technical information.  And we told them as far as we could figure out, there wasn’t an easy fix for this problem. At least one of the vendors’ representatives seemed really surprised.  Most of them however kept their institutional poker faces.  The one vendor representative that we did have a chance to notify in person just because we ran across him at a conference, seemed pretty surprised. 

Our study went beyond showing that this kind of attack was possible in principle to look concretely at what methods a forensic analyst might use to get the information in practice. Beyond even knowing that this attack was possible, we were surprised at how effective it was in practice.  We had figured out a whole set of increasingly sophisticated tricks that someone could use along with these attacks to make them more effective, and we found in practice that we didn’t need any of those tricks. So there are several unused tricks yet that could make the attacks stronger.

We also got quite a bit of interest from people in law enforcement, mostly in the U.S., but also in some other countries, about the methods and whether they might be useful in investigations.  For example, police departments sometimes have search warrants to search a home or an office and they’ll find computers.  And they have well established groups that do forensic analysis on computers to figure out what evidence they can get out of the computer.  It looks like our methods would let them gather more information in some cases.  Some of the more sophisticated criminals use the kind of encryption tools that we studied to try and protect their information – and so we think this will allow law enforcement to get more information in those cases. 

WWS:  Could the average person or anyone use this technology?

EF:  It’s possible to package the technology into an easy-to-use form, and in our video we show a program called Bit Unlocker we made, which really anyone can use.  The software is packaged on a USB hard drive, so you could just plug it into a port on a laptop computer, unplug the laptop and remove the battery, put the battery back and just push the power button to boot the laptop and our Bit Unlocker software will do the rest.  Basically it does a bunch of mathematic analysis of what is on the computer, and then it gives you a way to browse the encrypted files on the system. We’re not releasing the Bit Unlocker software for obvious reasons. 

WWS:  Should the general public be concerned about sensitive information, such as financial or medical data being accessed?

EF:  It is a concern.  There have been many press stories about leaks of private information via misplaced or stolen laptops – for instance, if you’re a federal employee with private data about U.S. citizens on your laptop you’re requiredto use a disk these encryption tool. And what our study shows it that disk encryption does not provide nearly the level of protection that people thought.

We’re back to the state where we were before disk encryption came along, which is that any laptop that has private information on it is potentially dangerous if it gets lost or stolen - which happens all the time. 

WWS:  Are their certain policies the U.S. government put in place?

EF:  There are things the government can do.  They went down the road of requiring some agencies to use disk encryption tools, but there are some things they can do further, procedurally.  This also connects to privacy legislation.  Some states, such as California, require companies to notify their customers if there is a leak of private data. There have been many notifications under the California law. A similar law is being considered at the federal level. But usually the  proposals have an exception, as California does, for cases where the data is encrypted. 

So, in the case where a laptop is lost or stolen and the data was encrypted, it’s exempt from this notification requirement because it is believed not to carry a risk. Our work suggests that those encryption exceptions are problematic. And so I believe this will affect the debate.  There’s been some debate about whether to have an encryption exception, or what its breadth should be at the federal level. But at the moment we’re not really close to passing a federal security breach notification law.

There is not an easy way to fix it the vulnerability we found. In our paper there’s a section where we talk about potential fixes and strategies for addressing the problem in practice, but none of the fixes work effectively.  The easiest and fastest fix in the short run is to shut your laptop down completely, not into a sleep mode, or hibernation mode, but all the way off. 

But the problem is that it will take a long time to re-boot the system and people don’t want have to go through a five-minute reboot time.  It’s a huge pain in the neck; you walk into your next meeting and you’re ready to bring up your documents to show your boss and now you have to wait five minutes.

WWS:  On another subject, you and your colleagues created a demo of vote-stealing software and revealed that Diebold voting machines - among the most widely used in America - were vulnerable to attack. Could you explain this?

EF:  We studied a Diebold touch-screen voting machine. It’s all computerized, the voter just touches buttons on the screen to cast their vote, and at the end of the election there is a little removable memory card - the same kind of memory card that is used in a lot of digital camera - which gets taken out by an election worker, which has the votes on it.

Because the voting machine is all electronic and is basically just a computer, it is subject to all the problems a computer has.  Computer scientists have been pretty alarmed over the last decade or so, as there has been a trend towards completely paperless voting machines.  It was obvious as a matter of computer science that if someone could change the software in the voting machine, they could program it to miscount the votes.  But nobody had ever demonstrated that in practice, because no independent computer scientist had ever gotten their hands on a real voting machine. 

We managed to get our hands on this Diebold machine and we made a demonstration that was completely boring to computer scientists because they all knew vote-stealing was possible, but we were able to show non-experts that it was relatively easy to make a voting machine miscount votes. We also did a pretty detailed technical study of how the machine worked.

WWS:  Did you receive any responses from Diebold?

EF:  Oh, yes.  They published a very short and somewhat hostile response, basically saying that we didn’t know what we were talking about, and that there were safeguards in practice that would prevent vote-stealing - although in our study we had carefully considered all those safeguards and explained why they didn’t actually provide protection in practice.

So, there wasn’t so much of a response.  They didn’t try to engage in a debate, they just tried to brush it off. But being able to do a demo had a pretty powerful impact.

WWS:  As a result of your work you were asked to testify before Congress. Did you actually demonstrate this there?

EF:  I testified before Congress and did a live demo of election-stealing. Our standard demo was a fake election for president between George Washington and Benedict Arnold, in which I opened the polls, cast votes for George Washington and then counted the votes and the machine said that Benedict Arnold had been the winner. This was part of an effort by computer scientists to move the debate on this issue, which I think has had a lot of success. 

We’ve seen changes in a lot of states.  Some states have passed laws that banned paperless voting machines.  New Jersey has such a law, although it hasn’t taken effect yet.  Computer scientists’ research also may have caused states, notably California, to commission serious technical studies of voting machines.  California commissioned a top-to-bottom review of all the electronic voting machines used there, and several people from my group participated in that review.  California got academic researchers from around the country to participate and they assigned teams to study several e-voting systems used in California. 

Because the states often have the power to certify or decertify e-voting machines in their states, they were able to get the vendors to agree to provide more technical information, to provide access to the machines. The California study lasted about three months.  There was a very tight deadline because California’s secretary of state needed to decide whether to decertify the machines, and needed some time before the election for California officials to cope with any decertification.  

The California study was really very comprehensive, so  other states have been able to use the findings of the California study.  Ohio for example did a study, as well.  They use some slightly different equipment than California but the study had similar results.  In most places, the choice of which voting technology to use is made on a county-by-county basis, so in a big state like California almost every popular technology is used somewhere, in some county.

The latest development is that in the recent presidential primary in New Jersey there was some discrepancies reported by one brand of voting machines; the Sequoia AVC Advantage, in several counties.  My group has been asked by some New Jersey county clerks to do a study to diagnose the cause of those discrepancies, which we are just about to start.  And we plan eventually to  produce a report about the causes of those problems.

WWS:  We have a presidential election coming up in November.  Are you at all concerned about voting machine tampering?

EF:  Yes. But there’s been progress. Over the last few years more states have moved to safer voting technologies.  Right now, depending on where you draw the line, there are about 38 states that will either have a statute or policy requiring the use of voting technologies that have the basic safeguards I think are necessary.  But there will be 10 to 12 states using riskier voting technologies, including some of the swing states.  There is reason for concern.

The worst case scenario is a very close election – like the 2000 election -   where it is particularly close in some swing states, and there are discrepancies or issues with the voting machines in those states.  At least in Florida in 2000, the recount had punchcard ballots that people could hold up and look at with magnifying glasses and you could argue about the dimpled chads.  With the electronic voting machines you have one record, it’s electronic, and you either believe it or you don’t.  There can be no real recount.

In some cases we have had reports of electronic voting technologies reporting results that are obviously wrong.  So, that is the worst case, where something is obviously wrong and the election is close in some swing state: and what do you do? 

Right now we have a project where we are trying to look at a combination of party affiliations and polling results, and determine which states are likely to be swing states, and put that together with what we know about the voting technology and our estimate of the risk attached to each technology.The aim is to make a map of the hot states or the hot counties where the risk is highest.  We’ll be updating that map as we get closer to the November elections.