What You Need to Know About Cold Boot Attacks

When your workers are finished working for the day, do they shut down their computers or put them into sleep mode? If work laptops and/or PCs take a while to boot up in the morning, your employees may put them in sleep mode at the end of the day to save time accessing email and work files in the morning. However, hackers know this and have used this personal impatience to their benefit.

What are Cold Boot Attacks?

Cold boots occur when the power is abruptly shut off to a computer. This is traditionally done when a computer “freezes up” and the only course of action is to shut it off from its power source. Hackers have devised a way to access a “sleeping computer”, invoke a cold boot, providing access to sensitive data residing in the computer’s RAM.

To understand what cold boot attacks are, it’s important to understand RAM. RAM (Random Access Memory) encompasses temporary computer files that are created when a computer is in use. This type of data (which can include encrypted passwords, personal data, confidential work files) is not stored permanently in a computer’s memory (ROM Read Only Memory) so when the computer is put into sleep mode, these remain. Therein lies the problem.

When the work is done for the day and the computer is put in “sleep” mode the data residing in the RAM remains for a hacker to steal. Cold boots are not new to the hacker world. However, known fixes for these types of invasive thefts have evolved, getting around the safeguards put in place when these types of computer attacks were put into play around 2008.

Physical Access is Needed

The key thing about cold boot attacks is it does require physical access to the computer. Cold boot attacks are not done remotely via an internet connection. Hackers must physically manipulate a computer’s firmware settings to access the data residing in the computer’s RAM.

This is how it works:

  1.    A computer is left unattended and a hacker physically accesses it
  2.    The firmware settings are manipulated
  3.    The attacker performs a cold boot attack via the USB port
  4.    Attacker gains access to encrypted/sensitive data

This means there are simple policies that employees can follow to protect work computers from falling victim to cold boot attacks.

Never Leave Unattended

Cold boot attacks can happen in a matter of minutes. According to F-Secured, there is no easy fix to prevent these attacks from taking place. The best policy is to never leave a computer unattended, especially where unauthorized personnel has ready access. This includes coffee shops, airports, libraries — you name it. If the computer is left unattended, it will be vulnerable, bottom line.

To remove human error from the equation, end users and/or companies can provide advanced protection by:

  • Configuring computers to force shut-down or hibernate (encrypted data is not retained in the RAM during “hibernate” mode, only “sleep” mode) after a certain period of disuse
  • Requiring BitLocker PIN entry upon computer restore or power up (Apple users can set a firmware password to provide advanced protection for MACs without 2T Chip)
  • Establishing an incident response plan to deal with missing devices ASAP

However, the easiest way to protect company computers from being attacked is for employees to shut down the computers when they are left unattended (e.g. during lunch break) or when the employee leaves work for the day. After all, prevention is the best policy when addressing security concerns.

SACS Can Help Keep Your Organization Safe and Secure

Contact the experts at SACS Consulting & Investigative Services, Inc. for unique security insight and training for your staff. We provide HR services to establish sound policies and procedures, security services and training to ensure employee buy-in and know how. Call us at 330-255-1101 to speak with one of our HR, security or training professionals today.