Cold Boot Attacks & How to Secure Your Data At Rest (DAR)

Data protection has become both a popular and necessary part of security architecture. According to Coos, 2021, data is categorized into one of three states:

• Data at rest (DAR) – data stored statically on hard drives or archived media, that is not frequently accessed
• Data in use – data that is frequently used and accessed by multiple users on a network
• Data in transit – data that is being transferred outside of the network and is subject to third party services

Data in use and data in transit have many different ways to be protected against from unauthorized access, or misuse. However, protecting data at rest (DAR) is often overlooked and left unprotected against malicious outsiders and insider threat. It is also considered to be an easier and more attractive target because the volume of data that can be stolen is much higher than typical data in transit targets (Coos, 2021). Most of the spectacular data breaches in the past 10 years have included data at rest attacks.

One type of DAR attack is called a cold boot attack and it obtains unauthorized access to the computers encryption keys while the computer is left physically unattended (Bedell, 2013). A cold boot attack utilizes the computers dynamic random access memory (DRAM) chips that actually retain data for a period of time after the computer is turned off. The amount of time this data can be accessed increases if the DRAM chips are removed from the motherboard and kept at a low temperature, which can be accomplished by spraying them with an inverted can of compressed air (Bedell, 2013). The basis behind this attack is that disk encryption programs, which are used to secure data on computer devices by using encryption algorithms, have no real safe place to store their encryption keys. A successful attack takes advantage of a cold boot of the system, and dumping the contents of the DRAM chip to a CD or USB device. The CD or USB device is then scanned for data structures that contain decryption keys (Bedell, 2013). Once the decryption key is found and compromised, all data in use and data in transit for that system, or on that network will be compromised.

A few ways to protect against cold boot attacks include: using modern AMD CPUs that support full transparent memory guard (SME), using physical security to make sure no one has unauthorized access to your computer after it is shut down, using strong encryption keys, and always turning off your computer before leaving it unattended (Information Security Stack Exchange, 2021). The chances of a cold book attack diminish the longer you are with your computer after it is powered down. A cold boot attack can be launched while you are away at lunch, your computer is still on but the screen saver is engaged, and the attacker has physical access to your computer. The attacker can reboot your computer using his own operating system (contained in the CD or USB drive), and extract any data from the DRAM chip that he desires (Information Security Stack Exchange, 2021).

 

References

Bedell, C. (2013, August 8). What is cold boot attack? - definition from whatis.com. SearchSecurity. Retrieved April 18, 2022, from https://www.techtarget.com/searchsecurity/definition/cold-boot-attack

Coos, A. (2021, June 23). How to protect your data at rest. Endpoint Protector Blog. Retrieved April 18, 2022, from https://www.endpointprotector.com/blog/how-to-protect-your-data-at-rest/#:~:text=Data%20at%20rest%20is%20at,is%20invisible%20or%20improperly%20managed.

Way to protect from cold boot attack. Information Security Stack Exchange. (1967, December 1). Retrieved April 18, 2022, from https://security.stackexchange.com/questions/226827/way-to-protect-from-cold-boot-attack