not losing sleep over the cold boot attack

The recent “cold boot” or “memory remanence” attack against keys stored in RAM (particularly against FDE vendors) has gotten good publicity, including mainstream media. I passed along information to my team, which then got up all the way through the top of my organization partially because we’re just about to roll out an FDE product. What did I recommend or say?

I quickly (2 paragraphs) and in mostly non-technical terms described the attack. Then, in a small FAQ-style section, explained that we are not at much risk of this attack. Memory dumping is not new, nor is memory dumping from recently powered-off memory. Can Joe down the street do it? No. Would Jess after lifting your laptop from the airport queue line crouch in a corner to start freezing your memory? No. Even if tools became available to boot a laptop to USB and quickly dump memory for offline scraping/cracking, this is still not a huge problem.

Bottom line: Is this something that an average computer (laptop) user or average corporate user care about? Seriously, no.

This sort of attack would be of interest to government units, defense contractors, and others who might be subjected to targeted, highly motivated, and decently funded attackers. National or major corporation espionage comes to mind. This attack is also of interest to us security geeks. Not only is it cool, but it keeps us thinking outside the box. It also keeps vendors honest and working towards better security.

What mitigations are there?

Reduce laptop theft risk.
Power off the laptop when it is not in use.
Don’t keep valuable data on mobile devices.
Use advanced multi-factor authentication.
Enforce proper password complexity and age requirements.
Limit booting from removable devices or use a BIOS password.

None of these steps should be very new to organizations, and certainly not to any organization that should care about the cold boot attack. All of the above steps should take much higher priority to all of us.

I don’t follow Bruce Schneier as much as I used to, but I do believe he has a good point when he talks about how badly humans evaluate and react to risk. We see risk and get all dramatic when it comes to low probability but exotic issues, yet ignore common issues that wouldn’t make a Hollywood movie script. This attack is exotic and not common.

2 thoughts on “not losing sleep over the cold boot attack

  1. OK, your post is a bit comical.
    I can imagine the guy stooping down freezing chips with a can of air he’s not allowed through security with.
    On the other hand with a well designed boot usb stick, the poweroff and on can and does leave traces and also some important info. Just dump one once and see for yourself, on OS X, the users password is left in RAM, the key for FileVault must stay there as well. And with Windows bitlocker is not quite as effective as it’s key is there too. If you know how to get it.
    Michael, you are making business decisions as to the importance of data and the need to protect that data, this is NOT the role of a security professional. You should be speaking with all stakeholders, don;t downplay a exploit and let the people that are RESPONSIBLE for the data and all Intellectual Property make a well informed decision.
    Quit trying to get out of doing extra research and adding extra security measures.
    Have you never heard of someone Social Engineering their way into a company and lifting laptops? or even better just sitting as a new employee waiting for someone to go to lunch and then walk by do a quick cold boot then walk away until they can analyze the data extract passwords then access machine at the next available time slot without your CEO ever knowing his laptop was touched.
    Or better yet, During the cold boot attack dump all hashes….via metasploit and then leave a backdoor server running after hiding it from Scanners.
    Or the CFO has something incriminating on his/her machine, be it the typical corporate number game with the IRS or something that if the financials got out could destroy the companies stock value.
    Just a thought, if you think that is a exotic attack, you must not know much with regard to security and how the underground and governments work. There are much more advanced attacks and anyone with access to the internet and have a little skill can pull this attack off with no issues, my 10 year old nephew built a stick himself and executed the attack on his fathers machine (proof of concept, he had full permission) This kid only knows how to surf the web and play his games well and of course pretty good with google) I said I wanted to try a test and told him to make a usb stick we could boot and run metasploit along with a memory scraper. He found the right Wiki’s and built it within 2 hours and had his dads bitlocked drive unlocked in around 5 hours, he had to learn how to run the carving tools.
    This is a difficult issue to resolve, do you really think your bosses will actually power off their machines everytime they walk away? and wait for 5 minutes before leaving…I wouldn’t hold my breath.

  2. Thank you for your comment, Keith! I appreciate the detail and discussion!
    A few things to respond to, but I’ll preface by saying this original post was made 1.5 years ago. I’m allowed to change my mind. 🙂
    My post was meant to address only the “new” attack of cold booting by *freezing* RAM so it would linger just long enough to be scraped. My argument is that the freezing of RAM is exotic, and is actually NOT bringing to light anything new that we (geeks) didn’t already know about memory scraping (although it was interesting to see which FDE solutions failed…).
    Let me also move one step forward and say I specifically had in mind (but failed to frame properly in my posts, because the media was filling this all in at the time) that I was concerned about the activity of powering off a system, *removing* the RAM, spraying it to freeze it, then putting the RAM into a system you own and control so that you can scrap it and grab an FDE password so you can own the disk. This would then defeat boot restrictions on the original device. My assumption is that a basic bit of security such as boot limitations were in place. This is also why my examples were as they are, since you need to do the action quickly on a laptop before the battery is dead and the RAm contents lost.
    In reading the rest of your comment, I think my use of “cold boot” as a phrase is misleading today. I did not mean to make any allusion to simply booting a system to a USB stick to do something like dump hashes or install backdoors, which is not (necessarily) limited to memory security. Booting something to a different device or different hardware althogether is an old attack and quite a successful one, indeed.
    1. making business decisions
    I work for a SMB (~500 employees). If you’re familiar with security, I think that frames all you need to know about stakeholders, opinions, recommendations, and business decisions in my situation. I also addressed other points in my post, such as how this *would* in fact be of concern for governments or someone worried about corporate espionage.
    2. cold boot attack vs other memory scraping
    Yes, I have heard of these other methods. In fact, my recommended steps in the original post would be an appropriate response, specifically limiting boot access. The main point of my post (and I see how this may have been missed) was that cold boot (freezing!) memory attacks were *not* necessarily some new-fangled approach to be fretting over. Instead, it was not more important for most people than regular memory or booting issues which have been around for years, decades. I still do have emails of my recommendations, and I specifically made mention to my senior management that this is not new and our current efforts to protect bot and disk integrity were already in place. The only thing this left open to us is the removal of RAM to a different device and scraping it there, which is the exotic part.
    3. extra research and security measures
    Really? You’d say that to a self-professed security geek who works in the trenches and loves this sort of thing? I’m about the opposite of that, both in my personal time and work time!
    4. Lastly, as expected, boot attacks against memory have gained more interest and better automation in the last 1.5 years since my post. I totally expected that, since to believe otherwise is to put too much value in obscurity for security. It’s moved from specialized tools to LiveCDs and now to bootable USBs and even malware to do it on live systems remotely.

Comments are closed.