Friday, May 2, 2008

Cold-Boot Attack


In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system by cold booting the machine.[1] The attack relies on the data remanence property of DRAM static random access memory[2] to retrieve memory contents seconds to minutes after power has been removed. The time window for an attack can be extended to hours by cooling the memory modules. Furthermore, as the bits disappear in memory over time, they can be reconstructed, as they fade away in a predictable manner.[1]

The attack has been demonstrated to be effective against full disk encryption schemes of various vendors and operating systems, even where a Trusted Platform Module (TPM) secure cryptoprocessor is used.[1] This is because the problem is fundamentally a hardware (memory) and not a software issue. While the focus of current research is on disk encryption, any sensitive data held in memory are vulnerable to the attack.[1]

One mitigation is not to use sleep mode and to shut down a computer completely instead.[3][4] However a pre-boot PIN or password may also be required to prevent an attacker booting the normal operating system before launching the attack in the scenario where a machine is already turned off. "Notably, using BitLocker with a Trusted Platform Module (TPM) sometimes makes it less secure, allowing an attacker to gain access to the data even if the machine is stolen while it is completely powered off".[1]

Please check out the video below from U of Princeton.