Cold Boot Attacks

Old 2 Comments on Cold Boot Attacks 56

Some of you might have heard about an attack called a cold boot attack. This attack is a side channel attack that is performed by stealing the encryption keys out of a systems DRAM and/or SRAM that has an encrypted hard drive.

How It Works
A cold boot attacks are pretty simple to preform, but for the group of people who figured it out, it was no walk in the park. The reason cold boot attacks work is because usually none of the information that is stored in your RAM is encrypted and therefore the attackers are able to gain access to information stored in your RAM. Cold boot attacks take advantage of a simple flaw in most common software based encryption solutions that is, encryption keys are stored in your RAM while the system is powered on.

How the Attack Is Preformed
A cold boot attack is performed by someone having physical access to the system and being able to manage the hardware. The first step to preforming a cold boot attack is to do a cold reboot on the system and then usually using a compressed air can to cool the memory chips to around -50 degrees Celsius. Then you can either remove the RAM chips from the system and use a different system to access the data that has not been erased or you can use an external boot device and boot a program called Bit Unlocker or something like it. Once you have done that you can create a copy of all of the data that has not been erased from the RAM.

Am I at Risk?
It depends on what type of system encryption software you are using. If you are using TrueCrypt, Microsoft’s Bitlocker, Apple’s FileVault, or Linux’s dm-crypt then you could be at risk. There are certain configuration changes that you can make to Bitlocker and other solutions to make it more secure as I describe below. A simple solution to help protect yourself is to shut down your computer and wait several minutes before you take it somewhere with you. The amount of time you might have to wait can be anywhere between a few seconds to several minutes, this can vary depending upon your system’s type of memory, memory manufacturer and motherboard properties.

How to Protect Yourself

Hardware Based Encryption
One method you could take is using some sort of hardware based encryption to encrypt your memory while the system is powered on.

Advanced Encryption Methods
You could use Bitlocker (or something like it) with a TPM and a boot PIN or external key to help protect your system. If you use a boot PIN or an external startup key along with TPM then whenever you boot your system it will require the regular encryption keys and a boot PIN or external startup key. When using this method the only way an attacker could decrypt your hard drive is if he or she had access to the system while it was still powered on.

TCG-compliant
Another method is to use hardware and an operating system that both conform to the “TCG Platform Reset Attack Mitigation Specification”, which is an industry response to this specific attack. The specification forces the BIOS to overwrite memory during POST if the operating system was not shut down correctly. The attacker could still remove the RAM chips from your system and put them in another to perform the attack.

 

Thank you all for taking the time to read this post and as always God bless!

 

This post can also be seen at blog.pjhoodsco.com.

Author

Preston Hood

Hello, my name is Preston Hood. I am the owner of PJHoodsCo, an Information Technology (IT) solutions provider. I am also an independent writer and IT security researcher.

Related Articles

2 Comments

  1. Eli Etherton July 9, 2014 at 2:31 pm

    I’ver heard of this concept before, but do you know if it’s actually been used in the wild? Seems like it would be a pain in the butt to try to actually perform.

    • Preston Hood July 9, 2014 at 3:09 pm

      I am sure it has been performed by forensics detectives to gain access to the bad guys hard drives but as far as hackers trying to do it, I am not sure.

Leave a comment

Back to Top