A Cold Boot Attack is a technique designed to capture data directly from a computer’s RAM, where critical and sensitive information is often stored. What kind of data? It could be almost anything: passwords, encryption keys, user login data, or even active sessions, which could provide attackers with extensive access to the system. In short, the attacker is after any information held in RAM during computer operation, and the Cold Boot Attack allows them to retrieve it.
This attack relies on cooling down the RAM to slow the “decay” of data, which normally vanishes quickly after power is cut. By chilling the memory modules, the attacker can extend the time that data remains accessible, giving them the opportunity to capture it. In early 2024, I had the chance to test this technique during real pentest (https://www.securitum.com/public-reports/medical-company-en.pdf), using simple, easily available tools: a can of compressed air (found in most electronics stores) and a USB stick with memory-dumping software.
During my tests, I used the tool bios_memimage64, which can be found here:
https://github.com/baselsayeh/coldboot-tools/
What is bios_memimage64? This specialized tool allows RAM dumping at the BIOS or EFI level on 64-bit systems. By accessing low-level memory directly, it enables the capture of data stored in RAM, which is useful for analyzing vulnerabilities like the Cold Boot Attack.
How Does the Attack Work?
The target computer must be powered on or in sleep mode (hibernation won’t work), but the user doesn’t need to be logged in. First, the computer’s casing must be opened to access the RAM modules.
Then, compressed air, held upside down, is used to cool the RAM modules, which effectively lowers their temperature. Cooling slows down the decay of data when power is disconnected, giving a few extra seconds to capture it.
Next comes the critical phase of the attack. The power is cut (for laptops, the battery must also be removed), then quickly reconnected. Thanks to the cooling effect, the data in RAM remains “frozen” and doesn’t vanish instantly. At this point, we boot the computer from a prepared USB stick with bios_memimage64. It’s essential to set the correct boot order, which can be done via the Boot Menu or directly in BIOS/UEFI Setup. Once booted, the bios_memimage64 screen appears, and the RAM dumping process to the USB stick begins.
What if there’s no access to BIOS to change the boot order? In this case, the RAM modules can be removed and inserted into another device that we control.
Cold Boot Attack demonstrates how seemingly harmless and accessible tools can be used to capture confidential data if the attacker has physical access to the device. This type of attack emphasizes the importance of securing hardware from unauthorized access, especially in public or office spaces where sensitive data is stored.
Analyzing the Dump: What Can Be Retrieved?
Once the RAM has been dumped, the data can be analyzed to retrieve valuable and sensitive information. In the context of my penetration test, I was able to extract the full-disk encryption FDE key from the memory dump, which allowed me to decrypt the disk and access all stored data. This demonstrates how Cold Boot Attack can expose critical security elements, making it an effective tool for attackers with physical access.
To analyze the RAM dump, various forensic tools can be used, such as Volatility, Rekall, or custom scripts designed to search for encryption keys, passwords, session tokens, or other sensitive data stored in memory. By scanning the dump, one can locate cryptographic keys, credentials, or even open application data. This kind of analysis reveals just how much valuable information remains in RAM and how easily it can be exposed in a Cold Boot scenario.
Threats and Risks for Companies and Users
Cold Boot Attack poses a significant threat to both companies and individual users. This attack enables access to valuable information stored in RAM, making it particularly dangerous for sectors like finance, healthcare, law, and public administration, where large amounts of sensitive data are processed.
As a result of a Cold Boot Attack, companies risk leaks of sensitive data, such as client information, contract details, or encryption keys used in security systems. The fallout can go beyond data privacy violations, as it can also erode customer trust, making them see the company as vulnerable to security threats.
How to Protect Against Cold Boot Attacks: Key Security Measures
Cold Boot Attack exploits physical access to the device to capture data from RAM. Here are some effective ways to improve security:
- Don’t leave your laptop unattended – reduces the risk of unauthorized physical access.
- Use hibernation instead of sleep mode – hibernation moves data from RAM to disk, reducing attack risk.
- Use UEFI – provides additional security options compared to traditional BIOS.
- Enable Memory Scrambling – if available, it encrypts data in RAM, making it harder to read.
- Disable automatic disk unlocking – limits access to data at startup.
- Enable AMD-V or Intel VT-d – these technologies increase memory isolation.
- Enable Intel TME or AMD SME – encrypts the entire system memory, protecting RAM data.
- Exclude USB from the boot order – prevents the computer from booting from external drives.
- Set a strong password for UEFI/BIOS – at least 20 characters, including uppercase, lowercase letters, numbers, and special characters, without company-related phrases.
These simple steps can help protect sensitive data and enhance security against Cold Boot Attacks.
