So I recently watched the LTT video myth busting tech shows
In this video Wendel mentions you can freeze ram with an air can. At first I kind of just accepted the statement but then my wheels started turning. I started to think more and more about how this would work and how to defend against physical data dumping attacks. I am now looking to do this myself for fun.
To start I think we need to come up with a set of physical possibilities and there security implications:
- No disk encryption and no swap
- In this case you would be able to read the disk but to access information in ram such as an active browser session or keepass you would need access to the memory
- Swap not encrypted
- In this there would be two possibilities. The first would be the system running normally. This would mean that there would be data in memory but there also could be something in swap, The other case could be that a device is either suspended to disk or can be forced to suspend to disk from a lock screen.
- no swap
- This would mean that usable data would be in memory only. To attack it you would need a memory dump.
Potential attack vectors:
- Attacking the OS (considered out of scope here)
- getting the system to hibernate to unencrypted swap
- getting the system to do a hard freeze followed by a warm boot
- Maybe something else
Potential exploits:
- clicking the suspend to disk button (not really an attack)
- Pulling power and then freezing ram before booting from a dump program
- triggering a hard reboot. Maybe this could be a kernel panic. I think it could be possible to cause the system to enter into a unstable state or at least cause it to think there is a problem.
- removing the ram in a running system (This probably would lead to magic smoke)
For both 2 and 3 you would need some sort of dump program. I think it would be possible to write a statically compiled C program that simply reads the data in memory and then writes it to a disk. Ideally this should be an EFI boot with fat file system. I suspect people have done this before but I could not find any FOSS software to do this. If I end up writing my own program I will publish it GPLv3.
Ok, thanks for reading my brain dump. I might swing around to this when I get more time. I think it would be really cool to exploit myself. If you know how to do a successful exploit or you have useful information to help me get started let me know.
1 Like
Hak5 had a demo on this ages ago. They used a USB boot drive with some microscopic tool on it.
An Austrian hole punch manufacturer has your back. 
Seriously though, the way you defend against any sort of physical attack is destruction of the device or preventing people from getting physical access.
Once you have physical access, it’s only a matter of time.
1 Like
Would Ryzen Pro’s memory encryption make a difference? [Whitepaper]
The RAM chips are sitting ducks with a bit of training on how to handle them, but if the necessary material needed to turn the contents into something readable were embedded in something much harder to extract…
I think it’s a bit of a nothing-burger in general, though, isn’t it? Suspending the system and then hotwiring memory, or using a wake exploit for ACE is already a really narrow and specific use case, and in the desktop world, it’s pretty much only relevant for intercorporate or international espionage.
IIRC, there’s already work being done in the linux kernel to have kernel messaging in memory persist across reboots, because it’s useful for system crash diagnostics. Kind of the opposite of this “secure data in memory” nonsense.
This is one of those things where, for 99% of people, the solution is worse than the problem, and the remaining 1% can afford to have special purpose-built ultra-secure hardware instead of off-the-shelf commodity parts.
Your government needs that level of data security and isn’t willing to pay for it, so scratch that use case.
Big corporations want it, because of the illusion of thought ownership we’ve all been brainwashed into believing is real.
Do we really need corporate feudalism that badly to care about this? Everyone else is just being gaslit into thinking it really matters.
We already have black-box security coprocessors to deal with encrypting important data like passwords, don’t we? Should those even be stored in RAM in the first place? Certainly not unencrypted, and scrambling the scrambled scramble is just a waste of resources.
1 Like
I’m operating under the assumption that this is a thought experiment.
At the bottom of the whitepaper, they specifically mention cold boot attacks as the purpose for this security.
I’d have to get my hands on a can of air and a ryzen-pro laptop to test this, but I suspect it probably would protect against it, but I’m having a hard time following exactly how this works, in the whitepaper.
Is soldered on RAM an advantage in this case? Or something fully integrated like Apple CPUs.
This might be more of an advantage, from the heat decay perspective. It’s gonna be really hard to cool the ram down enough.
I can’t say soldered ram will be a bigger benefit, unless your system relies on transplanting to custom motherboards.
All of your hypothetical attacks have been seen in the wild. Typically only at the nation state level, but it does happen daily.
regarding hardware solutions: Black boxes are invariably backdoored by at least 1 nation state but it’s (typically) incompetence rather than malevolence
Notable exceptions being network hardware that refuse to be NDAA/TAA compliant (ubiquiti in particular) as several have backdoors straight to the CCP.
(wireshark your WAN before responding to this)
If you want to mitigate, start with the BIOS/UEFI firmware and work up
libreboot and coreboot are open source firmware options for mostly thinkpads cause 1337 haxxors use IBM thinkpads…
Then it becomes a chore of physically disabling any proprietary firmware containing devices such as WLAN/NIC interfaces, cameras, speakers, etc.
Work your way up to the OS.
Your theoretical potential exploits already exist as “Row Hammer” and it’s derivatives regarding memory attacks and again, these have been seen in the wild.
I did not see the video, but rest assured that our intelligence agencies have the ability to remove RAM from a running system and recover the information on another external machine.
Encrypted memory has made this attack far less successful than simply utilizing exploits on the running machine(s).
All I’m hearing from this post is that the industrial revolution and it’s consequences have been a disaster for mankind.
2 Likes
Now hold on,
The industrial revolution gave us iPhones, Tinder, and TikTok…
2 Likes
I think the biggest implication of this is incrimination. When law enforcement takes a device they should immediately get access. You can of course argue that if you do nothing wrong you have nothing to hide but laws do change from time to time and I think it is really important to protect personal liberties. Also this has implications in countries such as China and Russia as law enforcement there are basically free to do what ever they want. Admittedly they still could force you to decrypt a device or they could torture you to get information. However, imagine a scenario where they try to find everyone who was a part of a group. This could be a a protest or political dissident group. You want the members of said group to stay hidden. This is where having memory precautions would be good. It also would be critical to not have anything on disk encrypted or otherwise.
The chances of someone here needing to care about anything like this is pretty much zero. However, it is a interesting experiment and could help someone who needs to stay hidden.
1 Like
