Word Notes 3.30.21
Ep 43 | 3.30.21

cold boot attack (noun)

Transcript

Rick Howard: The word is: cold boot attack.

Rick Howard: Spelled: cold boot as in a hard restart of the computers, hardware, and software components and attack is in leveraging a weakness of a system in order to gain access.

Rick Howard: Definition: A type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random access memory or RAM during the reboot process, in order to steal sensitive data.

Rick Howard: Example sentence: Overriding the RAM before shutting down the machine or using encryption programs that don't write sensitive keys into RAM can avoid data loss due to cold boot attacks,

Rick Howard: Origin and context: The cold boot attack leverages an electrical property called a remanence. It refers to the magnetic flux that remains in the circuit after the electricity is gone. In other words, RAM maintains integrity seconds or even minutes after power loss. An attacker who moves fast enough after a computer is shut down, can still access the data stored in RAM when the computer had power. Researchers speculated that this kind of attack was possible as far back as the 1990s.

But in 2008, Alex Halderman led a team of researchers from Princeton, the Electronic Frontier Foundation and Wind River Systems who demonstrated that cold boot attacks could be deployed in practical scenarios. Forensic specialists in law enforcement probably use this technique the most in order to build cases from confiscated computer equipment.

But spies also use this technique to steal sensitive data from unsuspecting targets. A later example is the reason that cold boot attacks are also known as evil maid attacks. The evil maid in this case is the spy who comes into a victim's hotel room when nobody is there disguised as a maid and uses the cold boot attack technique to steal sensitive information.

Rick Howard: Nerd reference: In 2013, Professor Halderman gave a lecture to his students attending the Transfer Credit Equivalency summer school program at the University of Michigan. He explained how a cold boot attack might work in the wild, and then highlighted how security issues pop up because of the assumptions made by two different groups working on the same project that didn't talk to each other; the software engineers and the hardware engineers.

Alex Halderman: The attacker in our scenario is going to come up to your laptop. Maybe he's just stolen it from you at the coffee shop. Luckily you left it in a locked state. He doesn't have your password. Maybe it wasn't powered on it was closed. And so it went to sleep. In that case, he just opens it up and it wakes back up again. Your disc is fully encrypted, but the key is in RAM. So the attacker is unhappy, but oh, he has an idea. 

He's going to try the cold boot attack. He's going to take that USB stick that has some memory dumping software on it, plug it in, pull out the battery, put it in again really quickly. The computer's going to dump the contents of RAM to the USB stick. Now he's going to examine that RAM, pull out the encryption key for the hard disk, pull out the hard disk and decrypt it on his own. 

There's some broader things we can take away from this about assumptions as they apply to cryptography and practice. The mistaken assumptions can undermine the security of an applied cryptosystem that otherwise would be perfectly good. The people who built these disk encryption systems, many of them are serious researchers, former researchers and engineers who knew what they were doing. They thought hard about these problems, but they had a blind spot here.

I had the privilege of personally disclosing these attacks to the CTO of one big company who had been the guy who actually designed the disk encryption product sent one of their central products and he turned white as a ghost. He just couldn't believe that this was true. It undermined a big part of his worldview. On the other hand, a couple of years later, I was at a party and ran into a gentleman who was the retired CTO of a semiconductor firm and held some of the first patents on dynamic RAM. And I told him about the cold boot attack. He laughed at me. He said, well, of course, this is how DRAM behaves. No one ever told us you wanted the information to go away when the power goes out.