Lest We Remember: Cold Boot Attacks on Encryption Keys

Just in case you haven't already read about this... Some researchers from Princeton have published a paper about methods which can be used to attack full-disk-encryption (FDE) schemes.

They have demonstrated that at least BitLocker (Windows Vista), FileVault (MacOS X) and dm-crypt (Linux) are vulnerable to this type of (partly hardware-based) attack scenarios. Quite likely lots of similar other solutions are vulnerable as well.

The main problem is that (contrary to popular belief) RAM does indeed retain its data for a non-trivial amount of time after power is cut (seconds, even minutes or hours if it's cooled down enough), so you can mount some new attacks such as:

  • Get physical access to laptop/computer, cut power to it (the hard way), reboot with a special live CD or USB thumb drive and some special software which dumps the RAM contents to an external disk (or sends it via network). As RAM contents are still there a few seconds after the power is cut, this works astonishingly well.
  • Get physical access to laptop/computer, open it, remove RAM DIMMs while the computer is running, insert them into your own prepared computer and read the RAM contents using some special software.

Yes, all attacks assume that the attacker has physical access to your PC/RAM, in which case you already have several other problems. Still, the new thing about this is that even full-disk-encryption doesn't help much in some cases. You probably shouldn't depend too much on it (but you shouldn't stop using disk encryption either, of course!).

Full paper: coldboot.pdf. There are also some demo videos and pictures.

More coverage at Boing Boing, Bruce Schneier's weblog, Freedom to Tinker, Slashdot, Heise (German), and many more...

Make sure to read the comments of the various articles for more scenarios and possible ideas for how to prevent such attacks. Some ideas include enabling the BIOS RAM checks (which might explicitly erase RAM contents on reboot; that doesn't help in all cases, though) or using coreboot (previously LinuxBIOS) to erase RAM contents at boot-up and/or shutdown.

It's a highly non-trivial issue, though, there's no easy and complete fix so far. The only sure way is to not have your laptop or PC stolen and to not give attackers physical access to your computers.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Find home insurance

So the general procedure would be (if you really wanted to be sure that you obtained the data) would be:

1. Manage to steal the computer while it's on.
2. For safety sake, super cool it
3. Get some special software written to gram teh info from the RAM.
4. Steal the contents from the RAM, and hope that you get something of value.

Guess I shuold be too worried unless I run the FBI, or some other highly secure position

Cold boot attacks

Sort of. You can either steal the computer/laptop or you can just quickly open it and perform the procedure while the owner is not watching. On a PC this takes only few minutes, on laptops it's usually a bit more complicated, but on many models it's also just a matter of minutes... Given how many people I see who are stupid enough to leave their laptops unattended in public places while they go for a smoke etc. this attack scenario is definately easily doable.

Super-cooling is optional, but nice. Also, it's easy and cheap — a can of duster spray or a cooling spray costs $5-$10 (7 Euros in Germany).

Special software is (a) not required, as it's publically available, (b) easy to write anyway (I've done just that for proof of concept).

You can thus easily get a full dump of all RAM contents of the victim, and trust me, there is lots of sensitive or otherwise important data in there! Lots.

So yes, you should be worried if you ask me. This is no highly hypothetical attack, it's relatively easily doable in practice. My suggestion to everyone is to make very sure that nobody gains physical access to any of your PCs/laptops EVER. At the very least, never leave your laptop unattended in public places...