冷启动攻击(Cold Boot Attack)是另一种用于窃取数据的方法。唯一特别的是他们可以直接访问您的计算机硬件或整个计算机。本文讨论什么是冷启动攻击(Boot Attack)以及如何避免此类技术。
什么是冷启动攻击
在冷启动攻击(Cold Boot Attack)或平台重置攻击中,(Platform Reset Attack,)对您的计算机具有物理访问权限的攻击者执行冷启动以重新启动计算机,以便从Windows操作系统检索加密密钥
他们在学校告诉我们,RAM(随机存取存储器(Random Access Memory))是易失的,如果计算机关闭,就无法保存数据。他们应该告诉我们的应该是……如果计算机关闭,就不能长时间保存数据(cannot hold data for long if the computer is switched off)。这意味着,在由于缺乏电力供应而消失之前, RAM仍然可以保存几秒钟到几分钟的数据。在极短的时间内,任何拥有适当工具的人都可以使用USB记忆棒或SD 卡(SD Card)上的不同轻量级操作系统读取RAM并将其内容复制到安全、永久的存储设备中。这种攻击称为冷启动攻击。
想象一台计算机在某个组织中无人看管几分钟。任何黑客只需将他的工具设置到位并关闭计算机即可。随着RAM冷却下来(数据慢慢淡出),黑客插入一个可启动的U(USB)盘并通过它启动。他或她可以将内容复制到同一个U(USB)盘之类的东西中。
由于攻击的本质是关闭计算机,然后使用电源开关重新启动,因此称为冷启动。您可能在计算机早期就已经了解冷启动和热启动。冷启动是您使用电源开关启动计算机的地方。热启动是您使用关机菜单中的重新启动选项重新启动计算机的选项。
冻结内存
这是黑客袖手旁观的又一招。他们可以简单地将一些物质(例如:液氮(Liquid Nitrogen))喷到RAM模块上,以便它们立即冻结。温度越低,RAM保存信息的时间就越长。使用这个技巧,他们(黑客)可以成功完成冷启动攻击(Cold Boot Attack)并复制最大数据。为了加快这一过程,他们在USB 记忆棒或 SD 卡上的轻量级(USB Sticks)操作系统(System)上使用自动运行文件,这些文件在关闭被黑客入侵的计算机后很快就会启动。
冷启动攻击的步骤
不一定每个人都使用类似于下面给出的攻击方式。但是,下面列出了大多数常见步骤。
- 更改BIOS信息以允许先从USB启动(USB)
- 将(Insert)可启动USB插入相关计算机
- 强制关闭计算机,使处理器没有时间卸载任何加密密钥或其他重要数据;知道正确关机可能也有帮助,但可能不如通过按电源键或其他方法强制关机成功。
- 尽快使用电源开关冷启动被黑客入侵的计算机
- 由于BIOS设置已更改,因此加载了USB记忆棒上的操作系统(USB)
- 即使正在加载此操作系统,它们也会自动运行进程以提取存储在RAM中的数据。
- 检查目标存储(存储被盗数据的位置)后再次关闭计算机,取出USB OS Stick,然后走开
冷启动攻击(Cold Boot Attacks)中有哪些信息存在风险
最常见的风险信息/数据是磁盘加密密钥和密码。通常,冷启动攻击的目的是在未经授权的情况下非法检索磁盘加密密钥。
在正确关机时发生的最后一件事是卸载磁盘并使用加密密钥对其进行加密,因此如果计算机突然关闭,数据可能仍然可供它们使用。
保护自己免受冷启动攻击(Cold Boot Attack)
在个人层面上,您只能确保在计算机关闭后至少 5 分钟之前您一直待在计算机附近。另外一项预防措施是使用关机菜单正确关机,而不是拉电线或使用电源按钮关闭计算机。
您无能为力,因为这在很大程度上不是软件问题。它更多地与硬件有关。因此,设备制造商应在计算机关闭后尽快主动清除RAM中的所有数据,以避免和保护您免受冷启动攻击。(RAM)
一些计算机现在在完全关闭之前会覆盖RAM 。尽管如此,强制关闭的可能性始终存在。
BitLocker使用的技术是使用PIN访问RAM。即使计算机已休眠(关闭计算机的状态),当用户将其唤醒并尝试访问任何内容时,首先他或她必须输入PIN才能访问RAM。这种方法也不是万无一失的,因为黑客可以使用网络钓鱼(Phishing)或社会工程(Social Engineering)方法之一获取PIN。
概括
以上解释了冷启动攻击是什么以及它是如何工作的。由于存在一些限制,因此无法针对冷启动攻击提供 100% 的安全性。但据我所知,安全公司正在努力寻找比简单地重写RAM或使用PIN来保护RAM内容更好的解决方案。
现在阅读(Now read):什么是冲浪攻击(What is a Surfing Attack)?
What is a Cold Boot Attack and how can you stay safe?
Cold Boot Attack is yet another method used to steal data. The only thing special is that they have direct access to your computer hardware or the whole computer. This article talks about what is Cold Boot Attack and how to stay safe from such techniques.
What is Cold Boot Attack
In a Cold Boot Attack or a Platform Reset Attack, an attacker who has physical access to your computer does a cold reboot to restart the machine in order to retrieve encryption keys from the Windows operating system
They taught us in schools that RAM (Random Access Memory) is volatile and cannot hold data if the computer is switched off. What they should have told us should have been …cannot hold data for long if the computer is switched off. That means, RAM still holds data from few seconds to few minutes before it fades out due to lack of electricity supply. For an ultra-small period, anyone with proper tools can read the RAM and copy its contents to a safe, permanent storage using a different lightweight operating system on a USB stick or SD Card. Such an attack is called cold boot attack.
Imagine a computer lying unattended at some organization for a few minutes. Any hacker just has to set his tools in place and turn off the computer. As the RAM cools down (data fades out slowly), the hacker plugs in a bootable USB stick and boots via that. He or she can copy the contents into something like the same USB stick.
Since the nature of the attack is turning off the computer and then using the power switch to restart it, it is called cold boot. You might have learned about cold boot and warm boot in your early computing years. Cold boot is where you start a computer using the power switch. A Warm Boot is where you use the option of restarting a computer using the restart option in the shutdown menu.
Freezing the RAM
This is yet another trick on the sleeves of hackers. They can simply spray some substance (example: Liquid Nitrogen) on to RAM modules so that they freeze immediately. The lower the temperature, the longer RAM can hold information. Using this trick, they (hackers) can successfully complete a Cold Boot Attack and copy maximum data. To quicken the process, they use autorun files on the lightweight Operating System on USB Sticks or SD Cards that are booted soon after shutting down the computer being hacked.
Steps in a Cold Boot Attack
Not necessarily everyone uses attack styles similar to the one given below. However, most of the common steps are listed below.
- Change the BIOS information to allow boot from USB first
- Insert a bootable USB into the computer in question
- Turn off the computer forcibly so that the processor doesn’t get time to dismount any encryption keys or other important data; know that a proper shutdown may too help but may not be as successful as a forced shut down by pressing the power key or other methods.
- As soon as possible, using the power switch to cold boot the computer being hacked
- Since the BIOS settings were changed, the OS on a USB stick is loaded
- Even as this OS is being loaded, they autorun processes to extract data stored in RAM.
- Turn off the computer again after checking the destination storage (where the stolen data is stored), remove the USB OS Stick, and walk away
What information is at risk in Cold Boot Attacks
Most common information/data at risk are disk encryption keys and passwords. Usually, the aim of a cold boot attack is to retrieve disk encryption keys illegally, without authorization.
The last things to happen when in a proper shutdown are dismounting the disks and using the encryption keys to encrypt them so it is possible that if a computer is turned off abruptly, the data might still be available for them.
Securing yourself from Cold Boot Attack
On a personal level, you can only make sure that you stay near your computer until at least 5 minutes after it is shut down. Plus one precaution is to shut down properly using the shutdown menu, instead of pulling the electric cord or using the power button to turn off the computer.
You can’t do much because it is not a software issue largely. It is related more to the hardware. So the equipment manufacturers should take the initiative to remove all data from RAM as soon as possible after a computer is turned off to avoid and protect you from cold boot attack.
Some computers now overwrite RAM before completely shut down. Still, the possibility of a forced shutdown is always there.
The technique used by BitLocker is to use a PIN to access RAM. Even if the computer has been hibernated (a state of turning off the computer), when the user wakes it up and tries to access anything, first he or she has to enter a PIN to access RAM. This method is also not fool-proof as hackers can get the PIN using one of the methods of Phishing or Social Engineering.
Summary
The above explains what a cold boot attack is and how it works. There are some restrictions due to which 100% security cannot be offered against a cold boot attack. But as far as I know, security companies are working to find a better fix than simply rewriting RAM or using a PIN to protect the contents of RAM.
Now read: What is a Surfing Attack?