TID-109: RAM Chip Contents Readout
Threat Description
If a threat actor can physically access a RAM chip, they may be able to readout the contents of the chip. Multiple techniques can be used to extract the contents of RAM, including both runtime and physical access, such as the threat actor can use a Cold-boot attack to physically cool the RAM to minimize the decay of the electrical charge and then physically copy the contents of that RAM
Through these methods, critical data, including firmware or secrets (such as passwords and cryptographic keys), may therefore be vulnerable to extraction. Extraction of this information could then lead to reverse engineering to identify vulnerabilities, abusing secrets to gain unauthorized access, or subverting at-rest encryption schemes.
Threat Maturity and Evidence
Proof of Concept
Cold Boot Attacks
“We provide an independent study based on 12 computer systems with different hardware configurations that verifies the empirical practicability of cold boot attacks against DDR1 and DDR2”
Cryo-Mechanical RAM Content Extraction Against Modern Embedded Systems
CWE
CWE-311: Missing Encryption of Sensitive Data
“The product does not encrypt sensitive or critical information before storage or transmission.”
CWE-1384: Improper Handling of Physical or Environmental Conditions
“Hardware products are typically only guaranteed to behave correctly within certain physical limits or environmental conditions. Such products cannot necessarily control the physical or external conditions to which they are subjected. However, the inability to handle such conditions can undermine a product’s security. For example, an unexpected physical or environmental condition may cause the flipping of a bit that is used for an authentication decision. This unexpected condition could occur naturally or be induced artificially by an adversary.”