COLD BOOT ATTACKS

IN TODAY’S TALK
• The News
• Cold Boot Attack
• Characterizing Remanence Effects
• How the attack is performed
• Mitigation
• The newer Version of Attack
• Conclusions
THE NEWS
o In Sept 2018 the security analysts revealed a new
attack to steal encryption keys, passwords and other
sensitive information stored on most modern
computer systems, even with full disk encryption

o This attack is a new version of the traditional Cold

Boot Attack
COLD BOOT ATTACK

• Exploits the remanence property of RAM

• Computer’s memory is not erased almost
immediately when it loses power.
• Ordinary RAMs typically lose their
contents gradually over a period of seconds
• Data can persist for minutes or even hours if
the chips are kept at low temperatures
AFFECTS OF COOLING
ON ERROR RATE

Facilitates
potential
attacks for
theft of
sensitive
information
A DRAM is essentially a capacitor and over a
period of time, it will loose its state as the
charge will leak
AFTER 5 SECONDS
AFTER 30 SECONDS
AFTER 60 SECONDS
AFTER 5 MINUTES
 HOW THE
ATTACK IS
PERFORMED
Before powering off the computer spray an upside-down canister of
multipurpose duster directly onto the memory chips, cooling them to
- 50˚C
 MITIGATION FOR COLD BOOT
ATTACKS
• Trusted Computing Group (TCG) provided a
solution
• in this fix the system memory is simply
overwritten by the BIOS
• The specification is called TCG Reset Attack
Mitigation or MORLock (Memory Overwrite
Request Control).
TCG RESET ATTACK
MITIGATION OR MORLOCK
THE NEW VERSION OF ATTACK
Clearing
MOR bit
enables
reboot
without
clearing
the
RAM
 COUNTER MEASURES
 Either hibernate or shutdown (avoid sleep mode) their
computers
 Configure the system to enter the Bitlocker PIN
whenever the system is powered up or restored.
 Keep Laptops physically safe and report a missing
device
 Develop an incident response plan for dealing with the
missing device