An automated cold boot attack has been developed in the form of a Cryo-Mechanical RAM Content Extraction Robot. The device, created by Ang Cui and his team at Red Balloon Security, is designed to collect decrypted data from DDR3 memory modules, enabling attackers to steal sensitive information like encryption keys. The technology is aimed at manufacturers who have made it increasingly difficult for hackers to access their devices through new security measures such as disabled JTAG debugging interfaces and UART circuitry, ball grid array (BGA) packaging, and encrypted firmware.
This automated method builds upon the original cold boot attack demonstrated in 2008, which involved freezing a laptop's memory by inverting a can of compressed air to chill the computer's DRAM. The robotic device freezes individual memory chips to collect physical memory, which is then read using a field-programmable gate array (FPGA) and a MicroPython-based controller.
Unlike the original attack, which required compressed air and a lot of manual effort, the Cryo-Mechanical RAM Content Extraction Robot simplifies the process and makes it less onerous. By utilising the conductive elastomer IC test socket and an affordable CNC machine, the device can be assembled for around $2,000, making it accessible to anyone with technical skills and an intent to compromise information security.
The Cryo-Mechanical RAM Content Extraction Robot has already been shown to be effective for DDR3 DRAM in a CISCO IP Phone 8800 series and a Siemens SIMATIC S7-1500 PLC. Cui's team believes the device is also applicable to DDR4 and DDR5 devices once a more expensive FPGA-based memory readout platform is used.
Cui admits that physical memory encryption can counter this form of attack. However, many critical infrastructure embedded devices have yet to adopt such encryption measures, making them vulnerable to a Cryo-Mechanical RAM Content Extraction Robot or similar attacks.