2

I have a Macbook configured with a firmware password required to boot from any media other than the built-in NVMe drive. In theory, this means without my password you can't boot from removable media. Is this enough to prevent cold boot attacks or are there other ways to perform the attack. If so what attack methods still exist?

2 Answers2

2

From wikipedia

Alternatively, the memory modules are removed from the original system and quickly placed in a compatible machine under the attacker's control, which is then booted to access the memory.

This means that your computer is still vulnerable to cold boot attack.

Furthermore from wikipedia

This is not the only attack that allows encryption keys to be read from memory - for example, a DMA attack allows physical memory to be accessed via a 1394 DMA channel. 

vakus
  • 3,743
  • 3
  • 20
  • 32
  • My understanding is DMA attacks are not viable on Apple platforms; the IOMMU is enabled before Thunderbolt. Similarly, recent Microsoft hardware standards prohibit boot from an external DMA-equipped bus without IOMMU support. – user71659 Aug 20 '18 at 06:15
2

My understanding is that the Macbook Pro Retina has had soldered on RAM since 2012 and all other Macbook's since 2016. So quickly removing the RAM is not a likely attack. This would involve desoldering a surface mount chip and re-soldering it on the new Macbook.

Practically speaking unless the OP is a high value target you have prevented all but the most dedicated and advanced attacker.

But to be clear, yes attacks exist.

Joe M
  • 2,997
  • 1
  • 6
  • 13