
Cold Boot Attacks - ankka
https://blog.f-secure.com/cold-boot-attacks/
======
pjc50
Everyone's quickly jumping in to post "physical access is not secure", while
over there Apple have iPhones that appear to be almost completely secure
against all but the most dedicated state-level attacks (and of course
compromised accounts). We can do better, and should. Without compromising the
freedom to change operating system.

Mind you we also need to keep pressing on security for the desktop, against
ransomware and malicious installs. Again without compromising freedom of
choice.

~~~
simias
There are so many easier way to compromise the computers of 99% of the
population that this particular flaw, while interesting, doesn't really appear
all that critical to me. How many people (or even companies) bother to encrypt
their hard drives these days? Not many in my experience. And for those who do
how hard will it be to phish the credentials using basic social engineering?

If you're carrying nuclear codes then yeah, you should be worried about these
attacks. If you're security officer for a small company then you probably have
a long list of things to worry about before you have to consider cold boot
vulnerabilities.

Furthermore if you're worried about an attacker having physical access to your
computer what about simply installing a keylogger or a device that broadcasts
your display for instance? That seems massively easier and faster to pull off
than the attacks described here.

~~~
pjc50
> If you're security officer for a small company then you probably have a long
> list of things to worry about before you have to consider cold boot
> vulnerabilities.

Do you have laptops? Do you keep any personal data on them? Are you subject to
GDPR? Then you do need to worry at least somewhat:
[https://www.databreachtoday.com/data-breach-another-
stolen-l...](https://www.databreachtoday.com/data-breach-another-stolen-
laptop-a-4272)

------
jarfil
So when are we getting encrypted RAM?

With all the talk I hear about "cache being the new RAM", since it's so much
faster, particularly the L1, it sounds like it would make sense to have some
transparent encryption going on. A random key generated at power on, then kept
inside the CPU, and instantly lost at power off, would be enough to secure the
contents of DIMMs against attacks like this.

~~~
simias
Somebody could put a hardware keylogger on your keyboard interface instead. Or
de-solder your CPU and replace it with a backdoored version.

~~~
21
Seriously?

How many backdoored CPU attacks have you heard of before?

If you need protection against that, might as well live inside a vault.

------
knorker
> Cold boot attacks aren’t new. They were developed by a research group back
> in 2008

Older than that. E.g. Pettersson's talk at CCCamp 2007.

~~~
En_gr_Student
I'd be surprised if some analog of this didn't come out in the 80's. The
fundamentals were all there, even arpanet.

------
leejoramo
physical access = compromised system

There are things you can do to mitigate this problem, but once someone has
physical access to a computer they have many pathways to gaining access to
data and control.

~~~
arachnids
This is already not true for modern iPhones. I think the time to stop
accepting this has come. We should demand better from commodity devices.

~~~
comboy
I think most disagreement in this thread comes from not separating two very
different cases.

1) I got access to you hardware and I want to extract data from it

2) I got access to your hardware and I get to give it back to you and you
continue using it as if nothing happened

------
liftbigweights
That's why the #1 rule of security is physical security. If someone has
physical access to your computer, it's pretty much game over.

~~~
arcticbull
Tell that to the FBI trying to get into an iPhone

~~~
liftbigweights
They succeeded...

[https://money.cnn.com/2016/03/28/news/companies/fbi-apple-
ip...](https://money.cnn.com/2016/03/28/news/companies/fbi-apple-iphone-case-
cracked/index.html)

------
acura
Cold boot, you keep using this word and you don't know what it means. Or is it
me who have a screwed definiton of cold boot?

~~~
jo909
As defined in the article: "when a computer is reset without following proper
procedures (what’s known as a cold/hard reboot)"

Even if you disagree, "cold boot attack" is the established name for the
actual attack, the new aspect presented here is how to circumvent a certain
firmware protection that would overwrite the memory on a cold boot to prevent
that attack.

If you would give your definition we could see if it is right, too.

~~~
acura
I thought the definition of cold boot was a boot from a powered down state.

------
bardworx
From a security standpoint, isn’t there a common understanding that if an
attacker gains physical access to your computer, you already lost?

As a side note, there are so many vulnerabilities constantly coming out that
I’ve almost became desensitized. I’m sure that’s not a good thing but it’s
almost like “when” not “if” someone will just steal my data.

Not sure if anyone agrees or I’m just a one-off...

~~~
jarfil
Some parts of a computer are easier to access than others. Like, it's quite
easy to access the contents of a hard drive, but not so much some value stored
in a particular register in the CPU. That's why it makes sense to encrypt data
stored on a hard drive, but we expect the CPU to be able to handle plaintext
securely.

Turns out, we should think of RAM more like a hard drive than like something
internal to the CPU.

------
hannasanarion
So do y'all regularly dump liquid nitrogen on your computers after powering
them off?

Last I checked, cold boot attacks have to be executed within moments of a
computer powering down unless it's immediately put on ice. I don't understand
why we're worried about this.

~~~
retrodpc
Actually, RAM can keep its contents for up to a few minutes after shutdown.
See here:

[https://citp.princeton.edu/research/memory/](https://citp.princeton.edu/research/memory/)

------
new_age_garbage
Leaving the computer on is a cold boot attack now?

~~~
mannykannot
At first, I could not figure out why sleep mode was an issue, but I think the
point is that a cold boot attack has to be performed within minutes of the
shutdown, and it has to be a 'hard' (just cut the power) type of shutdown, not
an orderly shutdown where the OS stops what's running and then instructs the
hardware to shut down. An attacker who gets his hands on a computer in sleep
mode is in a position to force a hard shutdown and immediate cold boot when he
is ready.

