Skip to content

FREE SHIPPING ON ALL ORDERS OVER $200USD (~800 ZŁ) - SHOP NOW 📦
Cold Boot Attack – jak działa i dlaczego nadal stanowi realne zagrożenie?
July 9, 2025 SAPSAN TEAM

Cold Boot Attack – How It Works and Why It's Still a Real Threat?

Now that we're surrounded by advanced cryptographic security measures, multi-factor authentication, and disk encryption, it might seem that physical access to a computer no longer poses a real threat to data confidentiality. Yet there exists a technique that can bypass even the most well-protected systems. It's the cold boot attack. Although discovered over a decade ago, it still concerns cybersecurity experts because it shows how a small gap in RAM logic can become a gateway to decrypting keys, passwords, or user data. Why does this type of attack still work despite technological progress?

What is a cold boot attack?

A cold boot attack is a technique for recovering data from a computer's RAM that exploits the physical properties of this memory – specifically the fact that data stored in RAM doesn't disappear immediately after power is cut off. How is this possible? Contrary to popular belief, RAM doesn't lose its contents the moment the computer is turned off. Its data "fades" gradually – it can persist for several to several dozen seconds, and at low temperatures (e.g., after cooling memory modules with liquid nitrogen or cooling spray) even for several minutes. This is the so-called data remanence effect, which allows for physical recovery of information stored in RAM – even if the system was previously shut down.

Cold boot attack – is it dangerous?

Cold boot attack is dangerous because it bypasses the logical layer of security – it doesn't break passwords or encryption using "traditional" methods. Instead, it exploits the fact that a computer must store, for example, encryption keys in RAM at a given moment for the system to operate. If an attacker gains physical access to the device – even for just a dozen seconds – they can obtain information that should theoretically be inaccessible.

Despite the development of security measures, cold boot attacks still work because they're based on physical properties of RAM, which remain unchanged. Data in RAM doesn't disappear immediately after power is cut off – it can persist for several, or even several dozen seconds, especially after cooling. During this short time, it's possible to recover it, such as encryption keys, passwords, or session information.

Do cold boot attacks still work?

Yes, cold boot attacks can still work, although their effectiveness is significantly lower today than it was over a decade ago. However, they still rely on the same mechanism – data in RAM doesn't disappear immediately after power is cut off. If someone gains physical access to a computer, they can cool the RAM modules and quickly boot the system from an external medium to read the remaining data, such as encryption keys or passwords.

Modern computers and operating systems increasingly use technologies that make such attacks more difficult – such as RAM encryption, TPM modules, or secure boot. Nevertheless, cold boot attacks remain a real threat, especially in cases of theft or unauthorized physical access to a device. That's why in high-risk environments – such as companies, government institutions, or military – this type of attack is still taken seriously.

Also check out the popular blog post on Sapsan: how to check if your data has fallen into the wrong hands?

What does cold booting mean?

Cold booting means starting a computer after completely disconnecting power, i.e., from a so-called "cold state". Unlike warm boot (soft restart, e.g., via Ctrl+Alt+Del), cold boot occurs when the computer was completely shut down – e.g., after cutting power, removing the battery, or physical restart.

In practice, cold booting means a full computer startup cycle: from powering the components, through BIOS/UEFI initialization, to loading the operating system. It's precisely this moment that is exploited in a cold boot attack, because the contents of RAM can still "survive" for a moment – even after the computer is turned off – and can be read right after restarting.

In short:

  • Cold booting is a full computer startup "from scratch"

  • Cold boot attack is exploiting this moment to read data from RAM before it's erased.

If you're interested in cybersecurity topics and care about a comprehensive approach to data security, check out the Sapsan store offer.

How is it possible that data "remains" in RAM – and what does liquid nitrogen have to do with it?

RAM in a computer works like a temporary notepad – it stores data only while the system is running. When you turn off the computer, the notepad is theoretically thrown away. But not immediately. In reality, when you suddenly disconnect power, data in RAM doesn't disappear instantly. Electronics work on the principle of electrical charges – and these need a moment to completely dissipate. For several, a dozen, and sometimes even several dozen seconds, the data is still there. And here's where liquid nitrogen or other cooling agents (e.g., computer spray) come in. The lower the RAM temperature, the slower the stored charge fades. In other words: cooled RAM "holds" data longer.

A person conducting a cold boot attack can:

  1. Quickly disconnect the computer's power (so data doesn't have time to erase).

  2. Cool the RAM modules, e.g., using liquid nitrogen (at -196°C!) or spray.

  3. Immediately boot the computer from another medium (e.g., USB) to read the remaining data before it disappears.

It's like "freezing" a moment – and in that moment reading secret passwords, encryption keys, or open documents that were stored in RAM, even though the computer was already turned off.

Conclusions

Cold boot attacks, although they seem technically complex, show how important a holistic approach to security is – covering not only logical protection (like passwords or disk encryption) but also securing physical access to hardware. Modern operating systems and devices are increasingly effective at protecting against this threat, but remember that no technology can replace user awareness!

That's why it's worth remembering the basic principles: encrypt data, shut down the computer instead of putting it to sleep, configure BIOS/UEFI, and protect hardware from unauthorized physical access. Cold boot attack is an example of how even a dozen seconds of inattention can be enough to lose data that was meant to remain secret. In the era of mobility and remote work, this threat should not be underestimated.

Previous article How Apps Manipulate Your Privacy? Learn About Dark Patterns and How to Avoid Them
Next article Flipper One is Coming – What We Already Know?

BY HACKERSFOR HACKERS