The Cold Boot Attack is Back – How can Your Organization Protect Itself?

The Cold Boot Attack is Back – How can Your Organization Protect Itself?

What can organizations do to protect against a cold boot attack?

You may have seen in a recent article from the researchers at F-secure that they’ve recently uncovered a weakness in modern computers which attackers can exploit to steal encryption keys and other sensitive data.  This vulnerability enables hackers to perform a cold boot attack.

What is a cold boot attack?  It’s an attack going back a decade or more.  As defined by Wikipedia sources, “In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.  The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.”

With regards to PCs, Microsoft has said the Cooled RAM attack, an earlier variant of this, is not relevant anymore because it is too difficult to remove memory chips in modern computers to access the contents which remain intact longer when cooled.  Similarly, the cold boot attack, at Microsoft’s prompting, was addressed in the computers’ BIOS to plug the hole for BitLocker.  A modern computer that uses BitLocker and is configured to TPM-Autoboot, as Microsoft promotes for usability, will have the keys automatically loaded into memory without user authentication if an attacker finds it, and just turns it on.  And therein lies the issue.

The historical cold boot attack had the attacker boot into a USB memory stick by causing a power reset, and then scrape the BitLocker keys from the memory.  To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request).  With this BIOS feature on, if Windows crashes or shuts down abnormally, or is platform reset with the BitLocker keys still in memory, the BIOS will overwrite the keys before allowing the USB to boot.  That way they will not be in memory for the attacker’s software to find them.

The problem is, the discovered weakness disables that protection.  According to F-secure, “The attack exploits the fact that the firmware settings governing the behavior of the boot process are not protected against manipulation by a physical attacker.  Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.”

In my view, the core of the problem is NOT the firmware and hardware platform’s implementation of the TCG Reset Attack Mitigation, but the very idea that keys be loaded automatically into memory without authentication.  Once the key is in memory, the security of the system is reliant on the operating environment which includes the OS, OS-present software, firmware and hardware which is a huge attack surface, and provides orders of magnitude less protection than an encrypted system with proper pre-boot authentication (PBA) in place.

So what can organizations do to protect against a cold boot attack? 

For one, consider implementing security solutions that include the user-based Pre-Boot Authentication on top of BitLocker.  PBA prevents anything being read from the drive, such as the operating system, BEFORE the user has confirmed they have the correct password or other credentials.  It’s a necessary component to fully achieve the confidentiality (and compliance) that full disk encryption is capable of providing.  

For an added layer of security, disable sleep capability on devices.  Implement strict policies that force users to either shut down or hibernate before leaving a laptop unattended. 

About the Author

Garry McCracken is vice president of technology at WinMagic. He has more than 30 years of experience in data communications and information security. Prior to working at WinMagic, Garry was vice president at Kasten Chase, where he played a key role in assuring the company's compliance with strict security standards.

Featured

  • New Gas Monkey Garage Venue Uses AI-Enhanced Video Technology

    Gas Monkey Garage, the automotive custom shop and entertainment brand founded by Richard Rawlings of Fast N’ Loud TV fame, has opened a vibrant new restaurant and bar in South Dakota, equipped with advanced, AI-enhanced video tech from IDIS Americas. Read Now

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.