Schneier, Team Hack 'Invisibility Cloak' for Files

Researchers break 'deniable file system' steganography feature that conceals the existence of sensitive files from hackers

It may not be possible after all to conceal the existence of a sensitive file on a machine.

BT security expert Bruce Schneier and a group of researchers have hacked an ultra-paranoid feature in the TrueCrypt open-source disk encryption tool that lets users hide secret files from detection by attackers or others.

This “deniability” feature is a sort of extreme file-protection function that first encrypts the file and then hides it within an encrypted area on the disk drive like an invisibility cloak. But Schneier, chief security technology officer with British Telecom and researchers from the University of Washington found that Microsoft Vista, Word, and Google Desktop each can blow the cover of files using this so-called “deniable file system” (DFS) feature.

The researchers were able to get around DFS in versions 5.0 and below of TrueCrypt’s encryption-on-the-fly tool, and will present their findings on the hack at the Usenix HotSec ’08 summit next week in San Jose, Calif.

Unlike encryption, where files and directories are scrambled into unreadable but visible forms, DFS masks the existence of files altogether so that there’s no evidence of the files at all.

TrueCrypt’s developers, meanwhile, say the just-released new version of the software, 6.0, remedies the leakage problem with DFS. “To our best knowledge, TrueCrypt 6 solves all the issues,” says David, one of TrueCrypt’s developers. The new features include the ability to create and run a hidden encrypted operating system, for example.

Schneier, however, isn’t convinced that TrueCrypt 6 can’t be hacked. The version had not yet been released when he and the UW researchers did their work, but Schneier thinks the outcome would likely be basically the same. “The new version will definitely close some of the leakages, but it's unlikely that it closed all of them,” he says.

Schneier, who has studied the viability of the so-called “deniable” file system model in the past, says DFS is actually easier to hack than encryption, and that there may be no way to make files truly undetectable on a drive. “Deniability is a much harder security feature to enable than secrecy,” he says. (See Schneier On Schneier and Schneier: In Touch With Security's Sensitive Side.)

The researchers were able to crack DFS without decrypting it. “Breaking the security of a DFS does not require decrypting the data; it only requires proving that (or in some cases simply providing strong evidence that) the encrypted data exists,” according to the report, which was co-authored by Schneier and University of Washington researchers Alexei Czeskis, David St. Hilaire, Karl Koscher, Steven Gribble, and Tadayoshi Kohno.

The researchers found that Windows Vista shortcuts can give away the existence of a hidden file. Vista, which automatically creates shortcuts to files that get used, then stores the shortcuts in the Recent Items folder. And the auto-save feature in Word, meanwhile, saved versions of the hidden files.

“An attacker can use information gleamed from these files — as well as other information leakage from the primary application — to not only infer that a hidden volume exists, but also recover some of its contents,” the researchers wrote in their report.

Google Desktop is another culprit that exposes hidden files in TrueCrypt versions below 6.0, according to the report. The Google app’s lists of recently changed documents and logs of recent file actions can reveal the existence of a hidden file.

The researchers say there are two ways to prevent Google Desktop from leaking the contents of the hidden files: Put the desktop search into a limited mode of operation (rather than enhanced); or shut down or pause the Google app when using the hidden, secret files.

“Modern applications and operating systems are very complicated, and interact with each other in many different ways,” Schneier says. “Hiding the existence of something means controlling all those interactions, which turns out to be a very hard problem.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • BT Counterpane
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5