80

Today I was watching a video on 'Ethical Hacking' where, while discussing hardware attacks, the narrator said:

Removing RAM or components from a desktop or a laptop

Here's a screenshot: BIZARRE!!!

I understand that removing stuff like storage drives is a security risk but removing RAM? The maximum it can do is slow down the system, but how else is that a security risk?

undo
  • 2,085
  • 2
  • 13
  • 18
  • 3
    take a look at this answer http://security.stackexchange.com/questions/10643/recover-the-prior-contents-of-ram-from-a-turned-off-pc – Jay May 19 '16 at 11:41
  • 12
    also this post is worth a read [Can RAM retain data after removal?](http://security.stackexchange.com/questions/99906/can-ram-retain-data-after-removal) – Bomskie May 19 '16 at 11:44
  • 1
    @SGR `removing it while the system is still running` It's no surprise the data wasn't lost. – Steve May 19 '16 at 17:32
  • 1
    The first four are actual attacks or actions that are required to perform an attack instead of attack vectors. I'd only consider the 5th element an "attack vector", although that should probably also be rewritten as: "availability of improperly disposed sensitive organizational data". Removing RAM seems to be part of stealing equipment. Not a well written slide. – Maarten Bodewes May 19 '16 at 18:00
  • @SGR: Unrelated, in that case you're removing the instructions, not the RAM. RAM should always hold it's values while plugged in, that's not in question. – Mooing Duck May 19 '16 at 20:18
  • 18
    If an attacker is in a position where he can remove RAM from a running system, then you've got a lot bigger physical attack vectors to worry about than him trying to read residual data off of RAM. – Johnny May 19 '16 at 20:57
  • 2
    If someone removes components so that you can no longer use your computer, do you not consider that an "attack"? – Greenstone Walker May 22 '16 at 23:11
  • It looks like the risk is to loose the actual RAM chips rather than the data they may contain. – xpereta May 24 '16 at 09:52

8 Answers8

117

RAM is used to store sensitive non-persistent information in a lot of cases. Encryption keys would be a common example.

Sometimes it is possible to remove RAM and place it into another device to dump the contents - often with the aid of liquid nitrogen.

For more information, see the Wikipedia article for Cold Boot Attack.

RockPaperLz- Mask it or Casket
  • 3,104
  • 1
  • 22
  • 53
Peleus
  • 3,827
  • 2
  • 19
  • 20
  • 24
    If memory serves, the original paper that introduced this vulnerability showed that you could use a cheap can of compressed air to keep the ram contents without power for up to a minute _(more than enough time to transfer the stick to another computer)_. Using liquid nitrogen kept the contents for hours. – BlueRaja - Danny Pflughoeft May 19 '16 at 17:55
  • 1
    @BlueRaja-DannyPflughoeft Yes, there's a 8 minute video about it [here](https://youtu.be/C_VsNYwGM_k?t=9) (possibly NSFW) – Mast May 19 '16 at 20:10
  • If just a can of compressed air really can maintain RAM contents for up to a minute, how long does RAM stay persistent at room temperature? – RockPaperLz- Mask it or Casket May 20 '16 at 00:37
  • @RockPaperLizard Cold RAM will maintain data longer without power. When the computer's running, the computer is using power to maintain the values in the RAM. – Patrick M May 20 '16 at 02:28
  • 1
    @RockPaperLizard [The question linked in the comments](http://security.stackexchange.com/questions/99906/can-ram-retain-data-after-removal) has an answer saying it's milliseconds to seconds at room temperature. – Cascabel May 20 '16 at 04:01
  • 69
    So, the whole thing about never being able to align the RAM stick the right way around the first time, no matter how carefully you look at it ahead of time, is actually a *security feature*? I'm pretty sure I've never successfully transferred RAM between computers in under a minute for that reason, among others. – Todd Wilcox May 20 '16 at 04:48
  • 44
    @Todd Ram and USB plugs are made from the same 4th dimensional material. That is why you often have to rotate them by 180 two to three times for them to fit. – Lawtonfogle May 20 '16 at 19:25
  • 1
    @ToddWilcox I did, but I practiced multiple times to pull it off. – Aloha May 22 '16 at 02:19
  • 1
    @Lawtonfogle So the NSA brought us USB C? – Sebb May 24 '16 at 06:58
25

If you log in somewhere (say in a browser, or some application), the password you typed in is temporarily stored in RAM for comparison against the correct password. Most applications assume the RAM is secure and don't clear everything, so it could (and often does) happen that your RAM memory contains passwords and privacy-sensitive data.

Now RAM is said to lose data upon power loss, but it does so slowly enough and predictably enough to provide a window of time where attackers can read the contents looking. This is called a cold boot attack.

Luc
  • 32,378
  • 8
  • 75
  • 137
  • That's volatile RAM... Most PCs use this exclusively. Nonvolitile RAM doesn't need power to retain data, though, and recent increases in speed makes it attractive in mobile devices as opposed to Flash. These modules have time limits measured in years or decades. The more you know... – The Nate May 23 '16 at 19:57
16

Without more context it's not completely clear, but combined with the line above ("stealing equipment", not "...storage devices/computers") they could be referring to simple theft. This was an issue a few years ago when RAM prices were high - it's very portable.

Alternatively DOS-by-theft could be an issue. The same slide refers to "Cutting a fibre optic backbone" which would prevent communication, and not "breaking into" the fibre which would be more likely to mean eavesdropping. Of course, if your recovery procedures in the event of a cable break or equipment theft aren't as secure as your mainline processes, that could leave you exposed to data loss.

Chris H
  • 4,375
  • 2
  • 16
  • 23
  • 9
    Yeah - "security" doesn't necessarily mean information security - physical security also applies to theft, vandalism, violence, etc. – Random832 May 19 '16 at 16:56
  • 1
    You used to be able to fit $100,000 of ram in a small shopping bug, much easyer to get out past the doorman when a complete computer. – Ian Ringrose May 23 '16 at 14:11
13

Removing RAM may force a system to swap more so maybe there's a small but higher chance that sensitive information that is stored in RAM is written to a hard drive where it is much easier to recover.

Thomas
  • 498
  • 2
  • 6
  • I can't believe this isn't the highest voted answer. This is the first thing that came to my mind when I tried to imagine what advantage an attacker would be afforded by removing RAM. – Nathan Osman May 21 '16 at 03:16
  • Honestly I was a bit surprised that so many people consider extracting data from frozen RAM is a likely attack scenario. Now, I'm convinced that it can be done yes, but I'm not sure that anyone apart from the NSA perhaps has the means to do this outside a computer laboratory. – Thomas May 21 '16 at 04:35
  • This was my immediate thought, and I was concerned at not seeing it mentioned as I scrolled through answers. Glad someone said it. It's not at all clear why so much was said above about removing RAM from _active systems_??? – user2338816 May 21 '16 at 06:19
  • 1
    I think there are a lot of really smart people here and smart people sometimes think of more sophisticated answers, first. Freezing RAM in order to extract it's contents is not something an average computer user would think of (or even know it's possible). – Thomas May 21 '16 at 08:09
  • 2
    If you're going to physically alter the hardware in order to make a later second attack easier, it seems like there must be much easier ways to do it (wiretapping input devices or other interfaces, for example) – Ben Millwood May 22 '16 at 10:24
  • +1, If you have access to remove the RAM, you may be able to get the access at a later date to remove the hard drive. – jmoreno May 22 '16 at 16:25
  • I agree that from the context it would make little sense if the attacker was also the one with access to the RAM. removing RAM is not a 'security risk' from the attacker's point of view – user84207 May 22 '16 at 21:56
  • If you have just 1 ram stick, removing it will just make the computer stop working, if you have 2 ram sticks and you remove one then you have only 1 chance out of 2 to remove th ecorrect ram stick so that you can get sensitive information swapped out on HD. – CoffeDeveloper May 23 '16 at 07:59
4

Depending on what the system was doing, there might be a lot of value in freezing the RAM and dumping it to analyze it.

RAM takes many shapes--many types of servers have special RAM that have parity bits in them, so on top of the RAM not immediately 'forgetting' the last thing recorded in a block, it's actually much more likely if you really really cared about recovering what was on that RAM--it's much more possible given server RAM is built for having error-protection versus homeuser RAM.

The type of attack, if the attackers know what they're looking for, is going to be very focused on a certain task. So that might be tapping a line, stealing hardware, planting a keylogger, etc. But it's definitely possible to steal memory on RAM--it's a mess to analyze, but if you're planning a heist to steal RAM, you probably have someone with the technical know-how to profit off it.

Tommy
  • 41
  • 1
2

The slide mentions that these are physical attack vectors. I don't know the full context of the slide deck, but even just removing RAM from a system can bring an application or system to its knees.

The goal of most attacks, physical or cyber, is to disrupt service, steal information, or gain backdoor access for long-term shenanigans (botnets, etc.). While theoretically data can be stolen from RAM that's just been unplugged, I think the bigger threat here is more along the lines of a denial of service attack.

If physical access to a server can be gained by an attacker, stealing RAM crucial to the operation of that server could result in the server failing. If you steal all the RAM it won't just slow the system down as you mention in your question, rather it will outright prevent the system from functioning. Then again, stealing only some of the RAM in a critical system would be more discrete, and if unnoticed, operators might have a hard time identifying the root cause of system malfunction (especially if the system is heavily reliant on RAM, such as an in-memory database application, e.g. a TimesTen DB).

The bullet point itself could, of course, be expanded to any physical attack on the hardware itself, but stealing RAM is probably the most discrete and easiest to pull off physical vector for an attacker who only has a brief window of opportunity to access the hardware.

LegendaryDude
  • 121
  • 2
  • 2
    Why not just unplug the machine? :P – undo May 19 '16 at 16:31
  • @RahulBasu Like I said, the bullet point itself could be expanded to any physical attack on the hardware itself. Losing power to the machine is much more obvious than removing some RAM, though. – LegendaryDude May 19 '16 at 16:33
  • 1
    Really? You think it's possible to remove RAM from a running device and have it be a subtle effect? Seems at least reasonably likely the kernel will immediately choke and bring the system down. Surely there are [easier ways](https://upload.wikimedia.org/wikipedia/commons/8/84/Claw-hammer.jpg) to DoS a box you have physical access to... – Ben Millwood May 22 '16 at 10:36
  • @BenMillwood I didn't say the system would be running, you inferred that (from what, I don't know). Pulling RAM from a running system is obviously going to impact it in a much more noticeable way than removing it while it's shut down. – LegendaryDude May 23 '16 at 12:52
  • Gosh, if I wanted to kill a system that I had physical access to, I would pull the CPU. And leave a glove. –  May 26 '16 at 14:18
0

Just to reiterate what others have said, not only could you shut down a server or device by removing all of its ram, you could steal cryptographic keys. The process generally looks like freezing the ram, removing it, and then placing it into a different machine where it can be analized. This works because while usually when ram loses power, all data is lost, but when the ram is frozen to very low temps, the electrons and therefore the data are essentially 'stuck' in the ram, giving an attacker enough time to remove it from power and then reconnect it on a malicious system.

Andrew Wright
  • 19
  • 1
  • 2
    Hey @Andrew... Welcome to Stack Exchange... 'Reiteration' isn't really appreciated on stack exchange because it doesn't really at any more useful points to the thread... next time, try posting more original content. Enjoy! – undo May 20 '16 at 05:57
0

It is possible to steal data from RAM.

In the condition that 1) you have external connection to the RAM data and address bus; 2) you will have the way that allow all data to be send to data bus of the RAM (Only possible to have a program to do that without affect the system running); 3) the program should be running at the same level of kernel;

In short, you have to have a program(or virus or security hole) to be able to steal data from RAM.

Hello
  • 1
  • 1
  • While possible, I think that if you have physical access to the machine to the extent that you can freeze and remove RAM on an active machine, then it would be much easier to just upload the data (and more than just data in RAM) to a remote machine, or just copy the data to another media. – Kevin Fegan May 21 '16 at 21:53
  • @KevinFegan The reason you freeze the RAM is because it may contain unencrypted data in RAM. Stealing the data directly would likely not reveal unencrypted data. – LegendaryDude May 23 '16 at 12:53