• SOLUTIONS
  • Government Solutions
  • Healthcare Solutions
  • GuardianEdge Solutions Overview
  • Avoid the Costs of Data Breach Notification
  • Safeguard Intellectual Property
  • Satisfying Privacy Regulations
  • Rendering Data Irrecoverable
  • Safely Using Portable Devices
• PRODUCTS
  • GuardianEdge Products Overview
  • GuardianEdge Hard Disk Encryption
  • GuardianEdge Encrypted Drive Manager
  • GuardianEdge Device Control
  • GuardianEdge Device Control Auditor
  • GuardianEdge Removable Storage Encryption
  • GuardianEdge Advanced Authentication
  • GuardianEdge Smartphone Protection
  • GuardianEdge Altiris Connector
• NEWS
  • GuardianEdge in the News
  • GuardianEdge Press Releases
  • Chronology of Data Security Breaches
• COMPANY
  • Company Overview
  • Corporate Profile
  • Customers
  • Executive Management Team
  • Board of Directors
  • Major Milestones
  • Careers
  • Contact Us
• PARTNERS
  • GuardianEdge Trusted Partners Overview
  • Become a Channel Partner
  • Become a Technology Partner
  • Find a Channel Partner
  • Find a Technology Partner
  • GuardianEdge Partner Relationship Management (PRM)
  • Register a Deal
• RESOURCES
  • eSeminars
  • White Papers
  • Case Studies
  • Data Sheets
  • Solution Briefs
  • Podcasts
  • Law Locator
  • Authored Articles
  • Glossary and FAQs
• SUPPORT
  • GuardianEdge Customer Support Overview
  • Customer Support Portal (CSP)
  • Support Programs
  • Professional Services
  • Support Hours
  • Product LIfe Cycle Policy
• CONTACT US

GuardianEdge Security Advisory - Cold Boot Attack

February 25, 2008

Security Overview
On Thursday, February 21, a paper was published by a security research team at Princeton University’s Center for Information Technology Policy. This paper outlines a “Cold Boot Attack” scenario, or way to bypass software-based Full Disk Encryption (FDE) by using the basic characteristics of DRAM found in all PCs.

The approach outlined by the Princeton researchers can be used to allow base disk encryption keys to be pulled from the DRAM of a targeted machine. The “Cold Boot Attack” does not solely affect FDE products, but also solutions using the Trusted Computing Group (TPM) chip, such as Microsoft BitLocker; as well as Microsoft Windows and several leading database applications. This is a hardware attack scenario that exploits a known PC vulnerability – the fact that information stored on DRAM is not cleared the instant that a PC is turned “off.” Because of this, it should be noted that this potential attack can only be executed in a very specific environment. In order to exploit this vulnerability:

• An attacker must defeat an organization’s existing physical security precautions to take physical control of a PC.
• The stolen PC must either be in “standby” mode, or have been powered off, i.e.: “shut down” or “hibernated,” within 1 to 2 minutes prior to an attempt on the system.

What GuardianEdge Customers Should Know
Risk exposure to GuardianEdge customers is minimal. FDE solutions remain an important component of a complete endpoint data protection strategy, to be used in conjunction with security industry best practices.

Users of the GuardianEdge Hard Disk Encryption product are advised that AES symmetric keys are not loaded into memory until the user authentication step has been completed. This step is required when the machine is either coming out of hibernation or being booted from a shut down or cold state. Also, even if the GuardianEdge Hard Disk keys are accessed in memory, a unique AES initialization vector still needs to be created to encrypt or decrypt each sector of the disk. Because of this, the attacker would need to figure out the seeding algorithm and key expansion methodology to recover data from the disk – making compromise of the GuardianEdge Hard Disk product highly unlikely.

GuardianEdge will continue to develop additional methods of protection against the “Cold Boot Attack” scenario. In the interim, the company is already encouraging enterprise security administrators to take the following steps:

• Disable the “standby” function on PCs so that all machines are powered down when they are turned “off” (either via “shut down” or “hibernate” in Windows parlance)
• Restrict the ability to boot from removable media by taking steps such as requiring an administrative password to change the boot sequence in BIOS to allow boot from sources other than primary drive
• Use machines with BIOS that tests and initializes the memory through “power on self test”
• Physically secure DRAM to the machine to make it difficult to remove quickly and without damage

Customer Support
GuardianEdge technical staff is available to answer any questions that current customers may have. For additional information, please visit: http://www.guardianedge.com/support/. Customers with standard support should call 1-866-274-9083. Customers with premium support should call 1-800-328-6814.

Email Page Print Page top of page

2010© GuardianEdge Technologies, Inc.      Home | Certifications | Solutions | Products | Support | Contact | Sitemap | Privacy Policy | Legal Notices