There are countless ways to break the security of programs and even our hardware. We have seen how even Intel and AMD processors have suffered vulnerabilities and security breaches in their system. In fact, we now have an example of how a cryomechanical robot can extract data from DDR3 RAM.
This time we will talk about security, but instead of taking into account hackers, cybercriminal attacks, companies or programs affected by malware, we will have something much more unusual. today, in the REcon Reverse Engineering Conference from Canada, Ang Cui, founder of Red Balloon Security has presented his latest experiment. This consists of using a cryomechanical robot that can collect data from RAM memory, despite how apparently safe it is.
They create a cryomechanical robot that is capable of extracting data from DDR3 RAM
Hardware manufacturers have disabled JTAG debugging interfaces, UART circuits and it has been usedl BGA packaging and encrypted firmware. All this has been done in order to make it difficult to reverse engineer the devices and prevent them from taking control of them. The problem is that, in terms of security, it has surprisingly hardly improved and in fact, Cui assures that manufacturers are wasting time. Sooner or later they were going to be able to circumvent this system and this has been demonstrated with this new robot.
Instead of using invasive reverse engineering techniques like in the past, they have built a cryomechanical robot, which is capable of freeze a ram chip. Once this is done, they take out the memory of the device and manage to read its contents with a reader. This method has turned out to be very successful, as Cui ensures that they get all the data, including the decryption keys.
To extract data from DDR4 or DDR5 RAM the cost would be much higher
By comparison, the traditional cold boot attack consists of freezing RAM memory using a compressed air can. With this system, the RAM can be cooled down to about -50°Cmoment in which the data may be temporarily frozen and persist for a few minutes. This method has worked perfectly in the past, but there are many devices, including laptops, that have their RAM soldered to the board.
Also, by the time they manage to read one memory chip, they must do the same with the rest, since they are interlocked. His objective was to be able to extract 5 memory chips in a single instruction. This is a difficult procedure for them, but one machine was capable of serving the purpose. Specifically they used a computerized numerical control or CNCwhich they bought from the Chinese store AliExpress for 500 dollars.
This was modified and from there arose the so-called cryomechanical robot, which is basically a CNC machine with a memory reader in a FPGA and an ESP32 controller. Of course, they have already warned that this system is effective for old RAM memory such as DDR3, but for DDR4 and DDR5 more complex, they would have to build a much more expensive machine about $10,000.
