What is the BitLocker exposure via cold boot attack?

John Savill

May 12, 2008

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A.There has been a lot of press about this recently. It deals with the fact that when you turn off a computer, volatile RAM is not as volatile as you would hope, and in fact keeps the information stored for up to 30 seconds (and as low as 2.5 seconds) and even minutes if you cool the RAM chips. This is mainly a problem for DRAM memory, which is basically a capacitor for each bit. SRAM works differently and is less vulnerable to this (but not immune). When its power is gone, it loses its information. The cold boot attack involves powering off a computer then booting it to a special program that copies the content of the memory to a USB key. A hacker can then scan the dump of the memory for the "old" information and extracts keys that are used for the disk encryption.


To protect your systems from these types of attacks (if you are very paranoid), you should exercise good physical security on your servers and disable the ability to boot from USB devices. However, this would not stop the attack, just make it harder. If the attacker has the physical box he can power it down, take out the RAM, and put it in another box (unless you solder the RAM to the motherboard). For laptops, power them off and don't leave them in sleep mode in your car's front seat. The use of a Trusted Platform Module (TPM) doesn't help because the TPM stores the key initially then puts it in memory to actually do decryption. You can see a video of this in action at http://www.hackaday.com/2008/02/21/breaking-disk-encryption-with-ram-dumps/ and the full paper at http://citp.princeton.edu/pub/coldboot.pdf.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like