Are there any tricks or guides out there to protect from this attack? Obviously not leaving hardware running and unattended, but what else can help protect you if your running laptop is stolen out of your hands? Workstations can be configured to shutdown upon intrusion switch being activated but what about laptops? I guess hot gluing the RAM in would be a physical obstacle. What about a BIOS password being required for booting from external media or having secure boot enabled? There are exploits to bypass those things, but to an attacker not finding out they are up against that until they reboot, I would hope that would slow them down enough that they fail. If half of or all of the RAM is mounted under the keyboard, I think they would have difficulty getting it out in time. Besides spraying the RAM directly, can you freeze an entire laptop while it's still running? Won't condensation cause problems pretty quickly?
Have the laptop continually monitor the physical environment - if anything abruptly changes, system automatically locks. If a decryption key is not provided after X seconds, force a reboot.<p>Something like bluetooth beacon paired to discreet BLE jewelry, WiFi signals -if the paired connection suddenly disappears, newly inserted human input devices (mouse jugglers to disable screensavers), unregistered face-detected, minimal gryoscope add-on looking for sudden velocity change, etc<p>All of these carry significant usability trade-offs, so probably only worthwhile if you are running the Silk Road and actively hiring hitmen.
Hardware memory encryption, with key randomly generated per-boot within the memory controller.
on AMD/Intel CPUs from the last 5 years you just need to enable hardware memory encryption in the BIOS
Encrypted MMU were very common on enterprise hardware at one time.<p>Now, memory can be cryogenic spray treated (upside-down air-duster) and removed within a minute... the content can be reader dumped for key recovery. This is why systems are bolted to the floor, and locked. It buys time to armadillo a system, and lock the SMART power-cycle tamper detection.<p>With physical access it is almost impossible to block forensic recovery with colocated keys. TPM and IME would be illegal if they actually worked. lol =3
@Retr0id is absolutely right. Hardware-level memory encryption (like AMD SME or Intel TME) is the ultimate silver bullet here. The encryption key is generated by the CPU/memory controller per-boot and is lost the moment power is cut, making the RAM contents useless even if frozen.<p>To answer @floralhangnail's questions from the perspective of how my dumper operates:<p>Removing RAM vs. Rebooting: My tool actually doesn't require removing the RAM sticks at all! The attack involves freezing the RAM in place, performing a hard power-off, quickly swapping the main system drive with my prepared USB/drive, and powering back on. So physical obstacles like hot-gluing the RAM or hiding it under the keyboard won't stop this specific reboot-based attack.<p>BIOS Passwords & Secure Boot: You nailed it—these are your best practical defenses on standard hardware. If a BIOS password prevents booting from external media, or if Secure Boot blocks my unsigned 16-bit bootloader, the time it takes to bypass them means the RAM bits will decay. This is exactly why my dumper targets systems with CSM/Legacy BIOS enabled and boot options accessible.<p>Condensation & Freezing: You don't freeze the entire laptop. You open the bottom cover and spray inverted canned air (-60°C) directly onto the memory modules. Condensation definitely happens and will eventually short the board, but the hardware usually survives just long enough (the few minutes needed) to complete the raw memory dump to disk.<p>P.S. I'm using AI to translate my messages because I don't speak English. Hope this clears up the physical attack vector!
I'm not an expert but why would a sufficiently sophisticated attacker not be able to extract the key from SME/TME type hardware protections? I'm thinking about government type attackers who can do extremely sophisticated things to hardware in a lab, not hobby type people.
SME/TME keys are stored directly inside the CPU's memory controller, not in the RAM. To extract them, even a state-sponsored attacker would need to decap the physical CPU and probe the silicon while it is powered on, or find a zero-day hardware vulnerability in the processor itself. Freezing the RAM is useless in this scenario because the RAM modules only contain ciphertext.
Excellent info, thank you.<p>I still think with laptops that have 2 RAM sticks under the bottom cover and the other 2 sticks underneath the keyboard, the spray can attack would be trickier. I assume though it's possible the attacker can keep the laptop running while the palmrest and keyboard are being disassembled. If the attacker cannot freeze all sticks of RAM though, would the attack be less likely to be successful? Would the disk encryption key be spread across all RAM sticks, or possibly just one?<p>I will look more into the hardware memory encryption as suggested.
for SecureBoot you could use the Linux shim bootloader, to boot your stick, or a tiny Linux that runs your code, right?
Booting a tiny Linux kernel would overwrite way too much RAM, destroying the exact data (like crypto keys) we want to recover. That's why my bootloader is strictly 512 bytes to minimize the footprint.<p>As for the shim bootloader: it only chainloads signed EFI binaries. To run a custom unsigned bare-metal dumper through it, you would have to use a known vulnerable version of shim (like the one from the BootHole vulnerability) to bypass the signature check for the next stage. It's possible in theory, but adds a massive layer of complexity compared to just using CSM.<p>Guys, I'm writing using a translator without AI now. Are you happy?
Just as a side note, memory encryption isn't limited to niche secure hardware anymore. Mainstream x86 CPUs have supported it for years: AMD has SME/TSME (and SEV on the server side), while Intel provides TME/MKTME. The memory controller transparently encrypts DRAM contents with hardware-managed keys, so protection against physical memory extraction attacks is already available on many ordinary PCs and servers.