Ang Cui, founder and CEO of Red Balloon Security along with colleagues Grant Skipper and Yuanzhe Wu have developed a robot that can collect decrypted data from DD3 RAM modules. The robot has successfully been demonstrated on a Siemens SIMATIC S7-1500 PLC and on the DDR3 DRAM in a CISCO IP Phone 8800.
The robot costs somewhere in the neighbourhood of $2000 dollars and uses a $500 CNC machine bought from AliExpress as its base combined with a field programmable gate array and an ESP32 microcontroller running micropython to simplify the attack. Cui believes that the attack is applicable to more sophisticated and modern DD4 and DDR4 memory chips as well, but would require a more expensive FPGA-based memory readout platform.
Cold boot attacks historically work by freezing memory chips to about -50 degrees Celsius, which in turn freezes the data on the chip for several minutes — long enough for it to be powered off and still retain the data for extraction.
Cui’s robot literally freezes one RAM chip at a time which is then pulled from the board and read using an FPGA fixture. In an interview with The Register, Cui explains that the process works “surprisingly well”. The robot can already read up to five memory chips at a time now.
Data extracted from such chips can include decryption keys and the bootloader core, which in case you have encrypted firmware on flash, can lead to the boot ROM. With his approach, the entire physical memory can be extracted, including the code, stack, data and heap.
These attacks can be countered by physical memory encryption, something that’s already found in game consoles like the Xbox and the PS5. However, Cui explains that effectively none of the PLC CPUs on the planet, a lot of which are embedded into critical infrastructure circuitry that all of us depend on aren’t addressing such attacks.
In the News: Over 650,000 “audience segments” found on Microsoft’s ad platform Xandr
