back to article Robot can rip the data out of RAM chips with chilling technology

Cold boot attacks, in which memory chips can be chilled and data including encryption keys plundered, were demonstrated way back in 2008 – but they just got automated. That original type of attack has been improved and automated in the form of a memory-pilfering machine that can be yours for around $2,000, with a bit of self- …

  1. martinusher Silver badge

    I am humbled... the sheer ingenuity displayed by this work.

    It is reasonable to assume that a very well financed organization, maybe one with a three letter name, has already figured this out. This may explain the otherwise inexplicable reasoning behind China's ban on Micron memory "for security reasons". Although if Micron were particularly vulnerable to attack then its likely that other memory suppliers were also vulnerable.

    1. 42656e4d203239 Silver badge

      Re: I am humbled...

      >>This may explain the otherwise inexplicable reasoning behind China's ban on Micron memory "for security reasons".

      Alternatively the PRC could have banned Micron memory because it, in some use case, is encrypted and they can't use this technique to read the DRAM of some device they want to, err, security check?

    2. Richard 12 Silver badge

      Re: I am humbled...

      This attack has nothing to do with who made the DRAM.

      It would work with absolutely any type or manufacturer of DDR. All you need to do is get or make a compatible jelly pogopin, and Eve can have her fun.

      China is just being protectionist, same as the USA.

  2. Mishak Silver badge

    What about "chip stacks"?

    Can this be used to attack devices where the DRAM is physically stacked on top of the CPU (RPi, Apple, ...)?

    1. John Brown (no body) Silver badge

      Re: What about "chip stacks"?

      ...or if the chip is glued to the PCB so just de-soldering it stops being an option?

  3. Pascal Monett Silver badge

    You have physical access

    So this is just one more thing miscreants could get their mitts on.

    Now, when I read "and through using ball grid array (BGA) packaging", I am intrigued. How does BGA packaging make it more difficult to "read" a RAM chip ?

    1. Neil Barnes Silver badge

      Re: You have physical access

      Well, you can't see the pins... and with BGA it's almost certainly a multilayer board which makes it also a little tricky.

    2. This post has been deleted by its author

    3. DwarfPants

      Re: You have physical access

      No visible legs on the chip for their spring clip thingy to attach to in the milliseconds they have available. I guess if you have the access and the time you could de-solder them from the board and stick some extension legs in between it and the board, then do the freezy thing.

    4. Richard 12 Silver badge

      Re: You have physical access

      It makes it impossible to get to the pins without removing the chip from the board.

      I for one previously assumed this made the freeze attack impossible, as desoldering the BGA requires very hot balls - which one would expect to defeat the attack.

      It appears that I was mistaken, this is most impressive.

  4. Anonymous Coward
    Anonymous Coward

    I'm not worried

    This is lovely tech but the conditions required to make this work are at best special.

    This is only going to be useful in a small number of extreme use cases, and it's not exactly portable or ready for mass deployment, especially with all the cryo gear and the specialised knowledge to make it all work and benefit from the output.

    Cool (sorry) theoretical exercise but not practical.

    1. Caver_Dave Silver badge

      Re: I'm not worried

      Stealing IP or secrets is always of benefit to certain actors.

      I've seen Flash with the top of the package removed, wires soldered on and connected to an ICE. It was thrown together to prove to manglement how easy it was. After that (and in a more sophisticated manner, due to trace length and buffering) the engineers put the processor into halt and interrogated the RAM (cold can also be used to extend refresh cycles).

      FPGA/CPLD is a step harder as most use encrypted configurations.

      Given enough manpower and motivation anything is possible. Governments and TLAs have plenty of both and even modest size companies can enter the game.

  5. Paul Crawford Silver badge

    Every PLC [programmable logic controller] CPU on the planet effectively. A lot of the critical infrastructure embedded things that we depend on, almost none of them are addressing this kind of attack

    If you have physical access to the PLC you don't need this for attack. What it might help with is making signed binaries for remote loading, but really the elephant in the room here is the simple fact you can remotely load a binary. At that point you have a massive security failing already.

    Games are a little different, you might want to run your own code on your own hardware and the bastards have locked it down, this allows DRM bypass with a bit of really cool effort.

    Yes, my joke is as bad at the other commentard =>

  6. Stuart Castle Silver badge

    This is an interesting hack. Thankfully, not easy to implement, as you need physical access to the device being hacked. Hopefully, any company with halfway decent physical security will have some protection.

    That said, there *are* people (especially those working for the various intelligence agencies) who are *very* good at getting hardware or software (on physical media) into a server room without being noticed.

    1. John Brown (no body) Silver badge

      "That said, there *are* people (especially those working for the various intelligence agencies) who are *very* good at getting hardware or software (on physical media) into a server room without being noticed."

      While true, I suspect even a special custom built robot, reader and the cryo gear might be a tad more difficult, even for "them" :-)

      They probably already have easier ways.

    2. Zippy´s Sausage Factory

      As true as this may be, I wonder - if you find the same model of controller as the place you want to attack, then use this technique on that controller, can it help you find a way past the controller while on site, without needing access to it? (Especially if there's any glaringly obvious back doors in the code, like how to put the door controller into maintenance mode, etc?)

      Imagine that the icon on the right has the alt text of "cool idea, but way past my pay grade" =>

  7. Anonymous Coward
    Anonymous Coward

    Billions of blue blistering barnacles. Beam me up, Scotty :-)

    1. Blue Pumpkin

      Mille sabords ….

      … is that you Capitaine Haddock ?

  8. Binraider Silver badge

    Very clever bit of engineering. I'm not sure I buy the PLC target story however.

    If you can get close enough to the hardware, with the hardware you need to deploy this you've already lost security probably by much simpler means.

  9. Colin Miller

    DDR bus snooping

    Is it possible to attach a device to the DDR bus, and snoop on all traffic on it?

    Yes, that is probably like trying to drink from a firehose, but it would give you a wealth of information about what the CPU is doing

  10. IGotOut Silver badge

    Very interesting, but this threw me.

    "It doesn't necessarily increase the security of the product, but it does make... reverse engineering the device a whole lot more difficult. It's kind of just wasting time, getting around some of these hardware things."

    That's like saying having good quality lock on your door doesn't improve security because all it does is make breaking in a lot harder and more time consuming.

  11. Teejay

    When I read articles like these, I always realise how some people are insanely smarter than me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like