logoalt Hacker News

floralhangnailyesterday at 9:16 PM7 repliesview on HN

Are there any tricks or guides out there to protect from this attack? Obviously not leaving hardware running and unattended, but what else can help protect you if your running laptop is stolen out of your hands? Workstations can be configured to shutdown upon intrusion switch being activated but what about laptops? I guess hot gluing the RAM in would be a physical obstacle. What about a BIOS password being required for booting from external media or having secure boot enabled? There are exploits to bypass those things, but to an attacker not finding out they are up against that until they reboot, I would hope that would slow them down enough that they fail. If half of or all of the RAM is mounted under the keyboard, I think they would have difficulty getting it out in time. Besides spraying the RAM directly, can you freeze an entire laptop while it's still running? Won't condensation cause problems pretty quickly?


Replies

3eb7988a1663yesterday at 10:38 PM

Have the laptop continually monitor the physical environment - if anything abruptly changes, system automatically locks. If a decryption key is not provided after X seconds, force a reboot.

Something like bluetooth beacon paired to discreet BLE jewelry, WiFi signals -if the paired connection suddenly disappears, newly inserted human input devices (mouse jugglers to disable screensavers), unregistered face-detected, minimal gryoscope add-on looking for sudden velocity change, etc

All of these carry significant usability trade-offs, so probably only worthwhile if you are running the Silk Road and actively hiring hitmen.

show 1 reply
Retr0idyesterday at 9:19 PM

Hardware memory encryption, with key randomly generated per-boot within the memory controller.

himata4113today at 1:04 AM

I just run everything thru a remote controlled power socket so I can remotely shut down everything and also (unintentionally) realized that I can detect when the my case is opened by observing temperature on one of the motherboard sensors so I thought about making that trigger a shutdown. My laptop shuts down power when opened as a feature already.

Joel_Mckayyesterday at 10:32 PM

Encrypted MMU were very common on enterprise hardware at one time.

Now, memory can be cryogenic spray treated (upside-down air-duster) and removed within a minute... the content can be reader dumped for key recovery. This is why systems are bolted to the floor, and locked. It buys time to armadillo a system, and lock the SMART power-cycle tamper detection.

With physical access it is almost impossible to block forensic recovery with collocated keys. TPM and IME would be illegal if they actually worked. lol =3

memoriyato3yesterday at 10:29 PM

on AMD/Intel CPUs from the last 5 years you just need to enable hardware memory encryption in the BIOS

liffikyesterday at 9:26 PM

@Retr0id is absolutely right. Hardware-level memory encryption (like AMD SME or Intel TME) is the ultimate silver bullet here. The encryption key is generated by the CPU/memory controller per-boot and is lost the moment power is cut, making the RAM contents useless even if frozen.

To answer @floralhangnail's questions from the perspective of how my dumper operates:

Removing RAM vs. Rebooting: My tool actually doesn't require removing the RAM sticks at all! The attack involves freezing the RAM in place, performing a hard power-off, quickly swapping the main system drive with my prepared USB/drive, and powering back on. So physical obstacles like hot-gluing the RAM or hiding it under the keyboard won't stop this specific reboot-based attack.

BIOS Passwords & Secure Boot: You nailed it—these are your best practical defenses on standard hardware. If a BIOS password prevents booting from external media, or if Secure Boot blocks my unsigned 16-bit bootloader, the time it takes to bypass them means the RAM bits will decay. This is exactly why my dumper targets systems with CSM/Legacy BIOS enabled and boot options accessible.

Condensation & Freezing: You don't freeze the entire laptop. You open the bottom cover and spray inverted canned air (-60°C) directly onto the memory modules. Condensation definitely happens and will eventually short the board, but the hardware usually survives just long enough (the few minutes needed) to complete the raw memory dump to disk.

P.S. I'm using AI to translate my messages because I don't speak English. Hope this clears up the physical attack vector!

show 4 replies
masa-kozuyesterday at 9:33 PM

Just as a side note, memory encryption isn't limited to niche secure hardware anymore. Mainstream x86 CPUs have supported it for years: AMD has SME/TSME (and SEV on the server side), while Intel provides TME/MKTME. The memory controller transparently encrypts DRAM contents with hardware-managed keys, so protection against physical memory extraction attacks is already available on many ordinary PCs and servers.