Q. How is Windows BitLocker Drive Encryption vulnerable to a cold-boot attack?
April 8, 2008
A. There's been a lot of recent press about this vulnerability. Here's how it works. When you turn off your computer, RAM keeps information stored on its chips for as long as 30 seconds (or as short as 2.5 seconds), or possibly several minutes if you cool the RAM chips first. This is mainly a DRAM problem. SRAM works differently and is less vulnerable (but not immune). When SDRAM loses its power, it loses its information.
A cold-boot attack powers off a computer, then boots it to a special program that copies the memory contents to a USB drive. The hacker then scans the memory dump for the stored information and extracts disk encryption keys.
To protect your equipment against these attacks, exercise good physical-server security and disable the ability to boot from a USB device. This protection won't stop an attack, but it will make it more difficult. If an attacker physically has a box, he or she can power it down, remove the RAM, and put it in another box (unless you solder the RAM to the motherboard). Always power down laptops—don't leave them in sleep mode. Using a Trusted Platform Module (TPM) won't help because the TPM initially stores the key, then puts it in memory for decryption.
A Princeton University video of a cold-boot attack is available at http://www.hackaday.com/2008/02/21/breaking-disk-encryption-with-ram-dumps/. The companion paper is at http://citp.princeton.edu/pub/coldboot.pdf.
About the Author
You May Also Like