There are a number of ways to secure your important data on your system like strong system login password, encrypting the file(s) or storing them online. Before going deep, let’s have a look at your system. Whenever you login into your system, it requires you to verify that it’s really YOU with the password you craved into the OS, right? That’s one of the basics of security and of course, very essential as a very basic layer of protection for your data and privacy.
Now, think of such a situation where your laptop got stolen. It had password protection in the system. Your system requires password to enter, so no need to worry about that, right? Wrong! In fact, for stealing your important data like the login password, your laptop doesn’t have to be stolen. Even 2 minute is more than enough!
Ladies and gentlemen, welcome to the reality of cold-boot attack!
This is a type of side-channel attack that, for performing on any system, requires physical access to the machine. It depends on the memory behavior of the system memories to extract sensitive information out of the system’s RAM. The data may include encryption keys, even after the power loss.
The attack successfully exploits the weakness in how the computers protect the low-level software that’s responsible for performing all the interactions with the RAM.
RAM is a volatile memory that loses all its data without power, right? If you can cool the RAM down fast enough, you’re successful in enabling the RAM to hold those data for minutes! That’s what some security researchers figured out and demonstrated the deadliness of this cold-boot attack.
Early protection against cold-boot
The side-channel attack “cold-boot” has been around for years. As it requires physical access, general users aren’t the normal target of the crooks. Instead, high value persons are the target. Despite this fact, computer manufacturers ensured to implement a protection against it.
“Trusted Computer Group”, a consortium that’s formed by AMD, Intel, IBM, HP (Hewlett-Packard) and Microsoft decided to overwrite the RAM content when the computer gets back to power. This specification is widely known as MORLock (Memory Overwrite Request Control).
MORLock is DEAD!
Pasi Saarinen from F-Secure and Olle Segerdahl – two security researchers found a way to reprogram the non-volatile parts of the memory chips (the part containing the overwrite instructions). Thus, they were able to disable the action and enable boot from external USB device for analyzing the RAM data and extract information from it.
FOr this attack to work, the computer would need to go into sleep mode. Hibernation and shut down securely erases info from the RAM, so that’s not effective. When in sleep mode, the computer is suspended in the RAM, allowing the crook to do works with it.
Time is crucial
Here’s a short demo of how the attack works.
The main critical timing is the powering off the machine and waking it up again. Using the freezing technique, the RAM holds all the information preventing the data during the process. Thus, the hacker is able to boot into a live OS from a USB stick.
The technique can also steal any data in the computer memory including HDD encryption keys!
In the case of Windows, BitLocker is the HDD encryption tool. However, despite the fact that BitLocker is a powerful solution, it still falls victim to the side-channel cold-boot attack. Here’s a demo how the security researchers even broke BitLocker.
Protection against the attack
Now, the defense against such attack is possible with the current available methods. Make sure that you follow them properly.
- Enable BIOS password. Whenever someone wants to boot into the live OS, he has to go through the boot menu. Password protect your boot menu so that even if your system is compromised, he won’t have the mean to boot into the especially-crafted live OS.
- Whenever your work is complete, shut down or hibernate your system. Do NOT put your computer in sleep mode.
Pretty simple, right? Another quick tip – don’t leave your laptop in a public place.
Stay secure and enjoy!