The Cold Boot Attack is Back – How can Your Organization Protect Itself?

The Cold Boot Attack is Back – How can Your Organization Protect Itself?

What can organizations do to protect against a cold boot attack?

You may have seen in a recent article from the researchers at F-secure that they’ve recently uncovered a weakness in modern computers which attackers can exploit to steal encryption keys and other sensitive data.  This vulnerability enables hackers to perform a cold boot attack.

What is a cold boot attack?  It’s an attack going back a decade or more.  As defined by Wikipedia sources, “In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.  The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.”

With regards to PCs, Microsoft has said the Cooled RAM attack, an earlier variant of this, is not relevant anymore because it is too difficult to remove memory chips in modern computers to access the contents which remain intact longer when cooled.  Similarly, the cold boot attack, at Microsoft’s prompting, was addressed in the computers’ BIOS to plug the hole for BitLocker.  A modern computer that uses BitLocker and is configured to TPM-Autoboot, as Microsoft promotes for usability, will have the keys automatically loaded into memory without user authentication if an attacker finds it, and just turns it on.  And therein lies the issue.

The historical cold boot attack had the attacker boot into a USB memory stick by causing a power reset, and then scrape the BitLocker keys from the memory.  To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request).  With this BIOS feature on, if Windows crashes or shuts down abnormally, or is platform reset with the BitLocker keys still in memory, the BIOS will overwrite the keys before allowing the USB to boot.  That way they will not be in memory for the attacker’s software to find them.

The problem is, the discovered weakness disables that protection.  According to F-secure, “The attack exploits the fact that the firmware settings governing the behavior of the boot process are not protected against manipulation by a physical attacker.  Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.”

In my view, the core of the problem is NOT the firmware and hardware platform’s implementation of the TCG Reset Attack Mitigation, but the very idea that keys be loaded automatically into memory without authentication.  Once the key is in memory, the security of the system is reliant on the operating environment which includes the OS, OS-present software, firmware and hardware which is a huge attack surface, and provides orders of magnitude less protection than an encrypted system with proper pre-boot authentication (PBA) in place.

So what can organizations do to protect against a cold boot attack? 

For one, consider implementing security solutions that include the user-based Pre-Boot Authentication on top of BitLocker.  PBA prevents anything being read from the drive, such as the operating system, BEFORE the user has confirmed they have the correct password or other credentials.  It’s a necessary component to fully achieve the confidentiality (and compliance) that full disk encryption is capable of providing.  

For an added layer of security, disable sleep capability on devices.  Implement strict policies that force users to either shut down or hibernate before leaving a laptop unattended. 

About the Author

Garry McCracken is vice president of technology at WinMagic. He has more than 30 years of experience in data communications and information security. Prior to working at WinMagic, Garry was vice president at Kasten Chase, where he played a key role in assuring the company's compliance with strict security standards.


  • Live From ISC West: Day 2 Recap

    If it’s even possible, Day 2 of ISC West in Las Vegas, Nevada, was even busier than the first. Remember to keep tabs on our Live From ISC West page for news and updates from the show floor at the Venetian, because there’s more news coming out than anyone could be expected to keep track of. Our Live From sponsors—NAPCO Security, Alibi Security, Vistacom, RGB Spectrum, and DoorKing—kept the momentum from Day 1 going with packed booths, happy hours, giveaways, product demonstrations, and more. Read Now

    • Industry Events
    • ISC West
  • Visiting Sin City

    I’m a recovering alcoholic, ten years sober this June. I almost wrote “recovered alcoholic,” because it’s a problem I’ve long since put to bed in every practical sense. But anyone who’s dealt with addiction knows that that part of your brain never goes away. You just learn to tell the difference between that insidious voice in your head and your actual internal monologue, and you get better at telling the other guy to shut up. Read Now

  • On My Way Out the Door

    To answer that one question I always get, at every booth visit, I have seen amazing product technology, solutions and above all else, the people that make it all work. Read Now

    • Industry Events
    • ISC West
  • Return to Form

    My first security trade show was in 2021. At the time, I was awed by the sheer magnitude of the event and the spectacle of products on display. But this was the first major trade show coming out of the pandemic, and the only commentary I heard was how low the attendance was. Two representatives from one booth even spent the last morning playing catch in the aisle with their giveaway stress balls. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

New Products

  • PDK IO Access Control Software

    PDK.IO Access Control Software

    ProdataKey now allows for "custom fields" within the interface of its software. Custom fields increase PDK's solutions' overall functionality by allowing administrators to include a wide range of pertinent data associated with each user. 3

  • Tyco Kantech EntraPass security management software

    Tyco Kantech EntraPass security management software

    Johnson Controls, the global leader in smart, healthy and sustainable buildings, and architect of the Open Blue digital connected platforms, has released the newest version of the Tyco Kantech EntraPass security management software. 3

  • Unique Oversized ID Card Printer

    Unique Oversized ID Card Printer

    Idesco Corp. is announcing its card printer – the XCR100 2.0 printer- that allows customers to personalize oversized ID cards on demand. The printer is ideal for assisting healthcare organizations find the right badging solution. As healthcare facilities continue to combat the spread of COVID-19, issuing oversized ID cards has helped identify staff clearly while adding an extra layer of security. The XCR100 2.0 printer is the only dye-sublimation printer on the market that can personalize CR100 cards (3.88" x 2.63"). The cards that are 42% larger than the standard credit card size. The printer can produce up to 180 full cards per hour in color, and up to 1,400 cards per hour in monochrome. An optional flipper is available to print dual-sided badges in one pass. Contactless encoding comes as an option to help healthcare facilities produce secure access badges on demand and the card printer features a 2-year warranty. 3