In computer security, a cold boot attack is a type of side-channel attack in which an attacker with physical access to a computer performs a memory dump of a computer’s random access memory by performing a hard reset of the target machine.
Security researchers have discovered a new technique for stealing sensitive data on computers and will detail how cold-start attacks can use computer firmware to allow attackers to recover passwords, credit card numbers, and other sensitive information stored in them.
As we have known since 2008, cold-start attacks on encryption keys or cold-start attacks can steal the encryption key of a computer from an attacker with physical access to a machine, which remains briefly in memory after a hard reboot.
The new cold start attack technique differs from the traditional cold start attack, which was developed in 2008 and allows attackers to steal the shortest information that remains on a computer before it is shut down.
The primary functionality of the cold-start attack is to obtain an encryption key from the user’s device before booting by extracting data from RAM or memory.
This reduces the probability that an attacker is theoretically able to retrieve the encryption keys from memory before executing the cold boot attacks.
When a hard drive is encrypted with full encryption — Cold boot attacks on hard drives: Cold boot attacks may or may not be required for hard drives that are encrypted without full encryption or potentially contain evidence of criminal activity.
Cold-start attacks can be used in digital forensics to forensically preserve the data in the memory as criminal evidence, for example as evidence in criminal investigations.
In fact, this technique allows encryption keys to be extracted from memory, and cold boot attacks can be used when a hard drive is encrypted with full disk encryption.
This reduces the likelihood that the attacker can rescue the encryption key from memory before executing a cold-start attack.
If an attacker hijacks the key with cold boots or similar attacks, he has the “key to the kingdom” for a long time, even if the encryption of the phone is disabled.
It reduces the likelihood that attackers can retrieve the keys in memory and the likelihood that they will be able to execute the Cold-Boot attack on a phone.
Cold-boot restrictions on modern computers make these attacks less effective than they were a decade ago, and there would be no reliable way to decrypt a lost or stolen computer.
Here’s the good news: Cold-boot attacks are not a trivial type of exploit. They require special hardware and tools to work means they are not trivial to exploit.
Operating systems and chipmakers added mitigation against cold attacks 10 years ago, and F-Secure researchers have found a way to bring them back from the dead.
But companies have difficulty finding reliable ways to prevent or block them, even if you get an attacker with the right expertise. The company configures the laptops so that the attacker who uses the cold boot attack does not find anything stolen, such as a hard drive, hard drive, or even a computer.
Think of Cold Boot Attacks on Encryption Keys, which were released at the IEEE International Conference on Secure Computing and Security (ICS) 2015 in San Francisco, California, the USA in 2008.
This research paper describes how the key to encrypting the encrypted data of a computer (e.g. passwords) can be obtained by a cold-start attack. The paper is titled “That you do not remember: Cold Encrypted Keys, “which describes a method for recovering the information stored in memory and a solution to the problem.
In a nutshell, Cold Boot Attacks use the DRAM remanence effect to restore cryptographic keys in memory. If the encryption key is stored in the memory of a computer while the computer is hibernating, there is no chance for attackers to steal valuable information and the data remains on a chip that is kept at a low temperature.
This reduces the chances that the attacker can retrieve the key from memory and perform a cold boot attack on a phone. Data recovery is not possible if the attackers physically access the system; they could still perform successful cold boot attacks on computers configured for this purpose, but because the chips are kept at low temperatures, no data is preserved.
Cited Sources
- https://blog.f-secure.com/cold-boot-attacks/
- https://gbhackers.com/cold-boot-attacks-hackers-can-unlock-all-the-modern-computers-and-steal-encryption-keys-passwords/
- https://privatecore.com/resources-overview/physical-memory-attacks/index.html
- https://thehackernews.com/2018/09/cold-boot-attack-encryption.html
- https://www.linuxjournal.com/magazine/cold-boot-attack-tools-linux
- https://www.darkreading.com/risk/new-cold-boot-attack-gives-hackers-the-keys-to-pcs-macs/d/d-id/1332814
- https://www.andreafortuna.org/2020/03/06/cold-boot-attack-in-digital-forensics/
- https://www.starlab.io/blog/encrypting-in-a-dangerous-world
- https://threatpost.com/researchers-heat-up-cold-boot-attack-that-works-on-all-laptops/137466/
- https://en.wikipedia.org/wiki/Cold_boot_attack
- https://www.ethicalhacker.net/features/root/using-cold-boot-attacks-forensic-techniques-penetration-tests/
- https://techxplore.com/news/2018-09-firmware-weakness-red-carpet-cold.html
- https://hackwarenews.com/new-cold-boot-attack-can-unlock-disk-encryption-in-nearly-all-laptops-under-2-minutes/
- https://www.zdnet.com/article/new-cold-boot-attack-affects-nearly-all-modern-computers/
- https://www.wired.com/story/cold-boot-break-pc-encryption/
Read behind a paywall here.