Practical Cold Boot Attacks
Building on the Cold Boot research that was released in February of 2008, Tom Liston and Sherri Davidoff of Intelguardians presented “Cold Memory Forensics Work Shop” at CanSecWest 2008. When a system is cold booted, research discovered that the supposed volatility of conventional RAM is a half truth. In many cases memory will continue to hold state for seconds and sometimes even minutes after a system has been powered off.
In a Cold Boot attack, an attacker with physical access to a system reboots the computer and dumps the contents of RAM for forensic analysis, recovering sensitive information (passwords, encryption keys, documents etc). In the Cold Memory Forensics Work Shop, Tom and Sherri discussed their findings in leveraging the Cold Boot techniques to harvest information from systems exposed during penetration testing, as well as their work in developing tools that will help quickly identify passwords that were stored in memory. Their goal is to be able retrieve passwords within minutes of obtaining physical access to a target system.
The approach used by the researchers is quite novel. The tools they are developing utilize a rudimentary signature-based system to flag static memory components which are usually present near sensitive pieces of information in memory (i.e. passwords). This simple enhancement to the previously published techniques makes this attack far more practical when sifting through large amounts of data obtained from the target system. In their presentation they talked about several cases where they were able to obtain passwords for a variety of popular applications.
At the end of the Cold Memory Forensics Work Shop, William Paul and Jacob Appelbaum made themselves available to answer additional questions about the Cold Boot attacks. William Paul also demoed a modified iPod that could be used to boot a system and dump the consents of the RAM in under 5 minutes. This lends credence to how practical and innocuous this attack can be.
This presentation should bring the risks associated with Cold Boot attacks to the forefront of people’s minds. That being said, although sensitive information is encrypted on disk, it is decrypted in memory and memory is more persistent than previously believed. This will require re-thinking of how some of our applications are designed and how we can work towards minimizing these types of problems. In a cube life world, systems are often left accessible to anyone with access to the office. Just as many offices implement a “clean desk” policy, a “clean desktop” policy may be required until a more permanent solution is presented.