The Cold Boot Attack is Back – How can Your Organization Protect Itself?

The Cold Boot Attack is Back – How can Your Organization Protect Itself?

What can organizations do to protect against a cold boot attack?

You may have seen in a recent article from the researchers at F-secure that they’ve recently uncovered a weakness in modern computers which attackers can exploit to steal encryption keys and other sensitive data.  This vulnerability enables hackers to perform a cold boot attack.

What is a cold boot attack?  It’s an attack going back a decade or more.  As defined by Wikipedia sources, “In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.  The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.”

With regards to PCs, Microsoft has said the Cooled RAM attack, an earlier variant of this, is not relevant anymore because it is too difficult to remove memory chips in modern computers to access the contents which remain intact longer when cooled.  Similarly, the cold boot attack, at Microsoft’s prompting, was addressed in the computers’ BIOS to plug the hole for BitLocker.  A modern computer that uses BitLocker and is configured to TPM-Autoboot, as Microsoft promotes for usability, will have the keys automatically loaded into memory without user authentication if an attacker finds it, and just turns it on.  And therein lies the issue.

The historical cold boot attack had the attacker boot into a USB memory stick by causing a power reset, and then scrape the BitLocker keys from the memory.  To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request).  With this BIOS feature on, if Windows crashes or shuts down abnormally, or is platform reset with the BitLocker keys still in memory, the BIOS will overwrite the keys before allowing the USB to boot.  That way they will not be in memory for the attacker’s software to find them.

The problem is, the discovered weakness disables that protection.  According to F-secure, “The attack exploits the fact that the firmware settings governing the behavior of the boot process are not protected against manipulation by a physical attacker.  Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.”

In my view, the core of the problem is NOT the firmware and hardware platform’s implementation of the TCG Reset Attack Mitigation, but the very idea that keys be loaded automatically into memory without authentication.  Once the key is in memory, the security of the system is reliant on the operating environment which includes the OS, OS-present software, firmware and hardware which is a huge attack surface, and provides orders of magnitude less protection than an encrypted system with proper pre-boot authentication (PBA) in place.

So what can organizations do to protect against a cold boot attack? 

For one, consider implementing security solutions that include the user-based Pre-Boot Authentication on top of BitLocker.  PBA prevents anything being read from the drive, such as the operating system, BEFORE the user has confirmed they have the correct password or other credentials.  It’s a necessary component to fully achieve the confidentiality (and compliance) that full disk encryption is capable of providing.  

For an added layer of security, disable sleep capability on devices.  Implement strict policies that force users to either shut down or hibernate before leaving a laptop unattended. 

About the Author

Garry McCracken is vice president of technology at WinMagic. He has more than 30 years of experience in data communications and information security. Prior to working at WinMagic, Garry was vice president at Kasten Chase, where he played a key role in assuring the company's compliance with strict security standards.

Featured

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.