The Cold Boot Attack is Back – How can Your Organization Protect Itself?

The Cold Boot Attack is Back – How can Your Organization Protect Itself?

What can organizations do to protect against a cold boot attack?

You may have seen in a recent article from the researchers at F-secure that they’ve recently uncovered a weakness in modern computers which attackers can exploit to steal encryption keys and other sensitive data.  This vulnerability enables hackers to perform a cold boot attack.

What is a cold boot attack?  It’s an attack going back a decade or more.  As defined by Wikipedia sources, “In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.  The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.”

With regards to PCs, Microsoft has said the Cooled RAM attack, an earlier variant of this, is not relevant anymore because it is too difficult to remove memory chips in modern computers to access the contents which remain intact longer when cooled.  Similarly, the cold boot attack, at Microsoft’s prompting, was addressed in the computers’ BIOS to plug the hole for BitLocker.  A modern computer that uses BitLocker and is configured to TPM-Autoboot, as Microsoft promotes for usability, will have the keys automatically loaded into memory without user authentication if an attacker finds it, and just turns it on.  And therein lies the issue.

The historical cold boot attack had the attacker boot into a USB memory stick by causing a power reset, and then scrape the BitLocker keys from the memory.  To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request).  With this BIOS feature on, if Windows crashes or shuts down abnormally, or is platform reset with the BitLocker keys still in memory, the BIOS will overwrite the keys before allowing the USB to boot.  That way they will not be in memory for the attacker’s software to find them.

The problem is, the discovered weakness disables that protection.  According to F-secure, “The attack exploits the fact that the firmware settings governing the behavior of the boot process are not protected against manipulation by a physical attacker.  Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.”

In my view, the core of the problem is NOT the firmware and hardware platform’s implementation of the TCG Reset Attack Mitigation, but the very idea that keys be loaded automatically into memory without authentication.  Once the key is in memory, the security of the system is reliant on the operating environment which includes the OS, OS-present software, firmware and hardware which is a huge attack surface, and provides orders of magnitude less protection than an encrypted system with proper pre-boot authentication (PBA) in place.

So what can organizations do to protect against a cold boot attack? 

For one, consider implementing security solutions that include the user-based Pre-Boot Authentication on top of BitLocker.  PBA prevents anything being read from the drive, such as the operating system, BEFORE the user has confirmed they have the correct password or other credentials.  It’s a necessary component to fully achieve the confidentiality (and compliance) that full disk encryption is capable of providing.  

For an added layer of security, disable sleep capability on devices.  Implement strict policies that force users to either shut down or hibernate before leaving a laptop unattended. 

About the Author

Garry McCracken is vice president of technology at WinMagic. He has more than 30 years of experience in data communications and information security. Prior to working at WinMagic, Garry was vice president at Kasten Chase, where he played a key role in assuring the company's compliance with strict security standards.

Featured

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

  • Paving the Way to Smart Buildings

    In today's rapidly evolving security landscape, the convergence of on-prem, edge and cloud technologies are critical. The physical security landscape is undergoing a profound transformation, driven by the rapid digitalization of buildings and the evolving needs of modern organizations. As the buildings sector pivots towards smart, AI and data-driven operations, the integration of both edge and cloud technology has become crucial. Read Now

  • The Cybersecurity Time Bomb

    If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk. Read Now

  • Deploying in a Hybrid, Cloud Environment

    The way organizations manage access control is evolving. Traditional on-premises systems come with high IT and server requirements. At the same time, fully cloud-based solutions may not meet the needs of every facility. Read Now

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.