4

Cold boot attacks are particularly nasty. On Android, a solution is to use a Nexus device with a locked bootloader to preven flashing a custom recovery.

On a PC, your safeguards are even more limited. The attacker that has access to a running laptop can throw it in a freezer, then quickly reboot into BIOS to boot onto a thumb drive designed to search the memory space for the key. Password-protecting the BIOS is a good idea, but your mileage may vary.

One protection I thought of was monitoring the CPU or motherboard temperature in software. If the temperature drops below a certain threshold (ie: cold environment detected), cut the power hard, terminate power as quickly as possible, possibly with a shutdown script which zeroes the RAM.

Would this approach work at least on a theoretical basis? Are there projects which do this in order to prevent cold-boot attacks?

Naftuli Kay
  • 6,745
  • 9
  • 47
  • 76
  • My impression was you'd need some pretty exotic hardware to pull this off. Is an ordinary refrigerator + thumb drive enough to read the old memory data? I always thought you had to attach the memory to a second prebooted machine. If you reboot this same laptop that you want to exploit won't the POST mess up the old memory's locations that you want to read? – curious_cat Jun 01 '15 at 06:57
  • @curious_cat Removing the memory is just the ultimate extension of this attack, and can't really be protectected against. I haven't seen a complete POST, where the memory is written to in years, most of the time it's disabled to improve boot time. – Steve Sether Jun 02 '15 at 16:25

3 Answers3

2

There are several lines of defense:
The obvious ones are to set BIOS password, (as you mention) use full disk encryption, do not use sleep mode, lock mode and especially not hibernation - encrypt it in CMD (Windows 7):

fsutil behavior set encryptpagingfile 1

Keep your important files in an encrypted container. A successfull cold boot might get into the FDE but not the container inside (correct me if I'm wrong)
Make sure you have DDR3 RAM, it has the lowest memory persistance for this attack, older types are a lot slower.
If you can, enable Power On Self Test (POST) in BIOS, it will attempt to zero out memory.
ECC memory will reset the memory during initialization. Check if you have it in CMD (W7):

wmic MEMORYCHIP get DataWidth,TotalWidth

If the TotalWidth value is larger than the DataWidth value you have ECC memory.

If you are physically hindered from shutting your PC down you may use remote shutdown software from smartphones. The ideal way is a an Android which binds the shutdown initation to a e.g. pressing up/down volume x times. This way you can shut down the PC with your hands in your pocket.

This is a golden nugget from a Blackhat paper. Unfortunately I don't have the slighest clue on how to implement this.

BIOS BOOT: Remnants of encryption keys can be recovered with very high probability, unless your master disk keys are stored in the physical address range 0x7c00– 0x7bff.
A disk encryption filter driver loads very early in the boot process and can allocate this memory range for its exclusive use.
512 bytes is enough room for multiple disk encryption keys, or for an AES 256 key schedule.
Any attempt to boot to ANY alternative operating system or device will overwrite the keys stored in this address range.

In the very same paper they discuss your question: Tempenter image description here
As for a software solution (I have not tested) but I can see that HWiNFO has an alert function, however I was not able to find RAM temp, but I didn't try very hard. enter image description here

Lastly (something I have no experience with) you can "permanize" your hardware state by using Epoxy to make it difficult to remove hardware and/or difficult to introduce new hardware.
Sidenote: for those of you with a stationary PC, a chassis with screws and DDR3 memory is plenty of obstacles to prevent cooling of ram if you start shut down before attacker attempts anything.

Manumit
  • 579
  • 1
  • 5
  • 19
1

The tempature alert thing may work, however you must do this on the BIOS level. Attacker can start this attack while computer is shutting down. In this case, a software running on OS can't do its work. BIOS can watch the system tempature and if its very low it can wipe the memory. I think it could work.

By the way, I found these questions in SE. Answers and comments are really interesting, you should take a look:

How can the impact of cold boot attacks be minimized

Wipe RAM on shutdown to prevent cold boot attack

Preventing Preventing Cold Boot Attacks Attacks on Encryption Encryption Keys

Batuhan
  • 662
  • 4
  • 17
  • 1
    There's no reason that work can't continue to be done while the OS is shutting down. On linux this might mean the last process to be shut down is one that monitors temperature, or alternatively a kernel module. In Windows I'm sure there's some other way to have a process continue until the last minute. – Steve Sether Jun 02 '15 at 17:05
0

You can use full disk encryption to prevent cold boot attacks. If hacker will habe all your drives, he can only wipe them if he didn't know password.

  • 2
    I don't think you understand what a cold boot attack is. – Naftuli Kay Jun 01 '15 at 05:39
  • @NaftuliTzviKay, can you provide link for explanation? I always name cold boot attacks, when you booting PC from live cd or flash and then patch system, reset passwords etc. – Daniil Svetlov Jun 02 '15 at 05:40
  • 1
    Please see the links in the question. A typical cold boot attack is when you take a running OS, put it in a freezer (an actual freezer), bring it down to a certain temperature, then immediately cut the power. You then boot as quickly as you can into a minimal OS designed to search the RAM space. What happens is that because of the cold, bits in RAM "stick" and remain over for a longer period of time than they would when they're at room temperature. The attacker can then grab your master key because it was in RAM. – Naftuli Kay Jun 02 '15 at 05:44