The Cold Boot Attack is Back – How can Your Organization Protect Itself?

The Cold Boot Attack is Back – How can Your Organization Protect Itself?

What can organizations do to protect against a cold boot attack?

You may have seen in a recent article from the researchers at F-secure that they’ve recently uncovered a weakness in modern computers which attackers can exploit to steal encryption keys and other sensitive data.  This vulnerability enables hackers to perform a cold boot attack.

What is a cold boot attack?  It’s an attack going back a decade or more.  As defined by Wikipedia sources, “In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.  The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.”

With regards to PCs, Microsoft has said the Cooled RAM attack, an earlier variant of this, is not relevant anymore because it is too difficult to remove memory chips in modern computers to access the contents which remain intact longer when cooled.  Similarly, the cold boot attack, at Microsoft’s prompting, was addressed in the computers’ BIOS to plug the hole for BitLocker.  A modern computer that uses BitLocker and is configured to TPM-Autoboot, as Microsoft promotes for usability, will have the keys automatically loaded into memory without user authentication if an attacker finds it, and just turns it on.  And therein lies the issue.

The historical cold boot attack had the attacker boot into a USB memory stick by causing a power reset, and then scrape the BitLocker keys from the memory.  To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request).  With this BIOS feature on, if Windows crashes or shuts down abnormally, or is platform reset with the BitLocker keys still in memory, the BIOS will overwrite the keys before allowing the USB to boot.  That way they will not be in memory for the attacker’s software to find them.

The problem is, the discovered weakness disables that protection.  According to F-secure, “The attack exploits the fact that the firmware settings governing the behavior of the boot process are not protected against manipulation by a physical attacker.  Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.”

In my view, the core of the problem is NOT the firmware and hardware platform’s implementation of the TCG Reset Attack Mitigation, but the very idea that keys be loaded automatically into memory without authentication.  Once the key is in memory, the security of the system is reliant on the operating environment which includes the OS, OS-present software, firmware and hardware which is a huge attack surface, and provides orders of magnitude less protection than an encrypted system with proper pre-boot authentication (PBA) in place.

So what can organizations do to protect against a cold boot attack? 

For one, consider implementing security solutions that include the user-based Pre-Boot Authentication on top of BitLocker.  PBA prevents anything being read from the drive, such as the operating system, BEFORE the user has confirmed they have the correct password or other credentials.  It’s a necessary component to fully achieve the confidentiality (and compliance) that full disk encryption is capable of providing.  

For an added layer of security, disable sleep capability on devices.  Implement strict policies that force users to either shut down or hibernate before leaving a laptop unattended. 

About the Author

Garry McCracken is vice president of technology at WinMagic. He has more than 30 years of experience in data communications and information security. Prior to working at WinMagic, Garry was vice president at Kasten Chase, where he played a key role in assuring the company's compliance with strict security standards.

Featured

  • Pragmatism, Productivity, and the Push for Accountability in 2025-2026

    Every year, the security industry debates whether artificial intelligence is a disruption, an enabler, or a distraction. By 2025, that conversation matured, where AI became a working dimension in physical identity and access management (PIAM) programs. Observations from 2025 highlight this turning point in AI’s role in access control and define how security leaders are being distinguished based on how they apply it. Read Now

  • Report: Cyber Attackers Continue to Turn to AI-Based Tools to Avoid Detection

    Comcast Business recently released its 2025 Cybersecurity Threat Report, a comprehensive analysis of 34.6 billion cybersecurity events detected between June 1,2024 and May 31, 2025. Now in its third year, the report offers business leaders a unique perspective into the evolving threat landscape and provides actionable insights to help organizations strengthen their defenses and align cybersecurity with business risk. Read Now

  • Axis Communications Creates AI-powered Video Surveillance Orchestra

    What if cameras could not only see the world, but interpret it—and respond like orchestra musicians reading sheet music: instantly, precisely, and in perfect harmony? That’s what global network technology leader Axis Communications set to find out. Read Now

  • Just as Expected

    GSX produced a wonderful tradeshow earlier this week. Monday was surprisingly strong in the morning, and the afternoon wasn’t bad at all. That’s Monday’s results and asking attendees to travel on Sunday. Just a quick hint, no one wants to give up their weekend to travel and set up an exhibit booth. I’m just saying. Read Now

    • Industry Events
    • GSX
  • NOLA: The Crescent City

    Twenty years later we finds ourselves in New Orleans. Twenty years ago the aftermath of Hurricane Katrina forced exhibitors and attendees to look elsewhere for tradeshow floor space. Read Now

    • Industry Events
    • GSX

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.