Threats Physical Access Cyberattacks: How Can You Protect Yourself?

While many cybersecurity strategies focus on remote threats, physical access remains one of the most powerful attack vectors. When an adversary—whether an outsider or malicious insider—gains direct access to a device, they can bypass many security controls and exploit vulnerabilities directly. Few systems are resilient against Cold Boot attacks and Evil Maid attacks. It's important for defenders to periodically review their physical security controls as an organization's digital infrastructure and the attack landscape can both change sharply in a short period of time. IT security teams need to adjust for emerging trends and ensure their changing IT systems are protected against well known attacks.

This article explores two well known attacks that can be performed with physical access; Cold Boot and Evil Maid attacks, and how you can develop comprehensive protection of your systems. For critical systems or certain individuals handling confidential information, understanding and defending against these physical threats is critical.

What Are Cold Boot RAM Extraction Attacks?

In cold boot attacks an adversary with physical access physically removes the RAM (random access memory) from a computer and inserts it into another computer that is prepared to extract residual data from it. This attack exploits the phenomenon that volatile memory does not immediately lose its contents when power is removed. Instead, data stored in the RAM can persist for several seconds—or even minutes—especially when the memory chips are cooled - hence the name "Cold Boot". For example, an attacker can spray the RAM chips with an upside-down can of compressed air to rapidly cool them, prolonging data retention and increasing the chances of successfully extracting residual information. This may include sensitive data such as disk encryption keys, passwords, or session information. 

In the early days of computing Cold Boot attacks were possible without removing the RAM chips from the victim's computer. However, in 2008, the TCG Reset Attack Mitigation, commonly known as Memory Overwrite Request (MOR) Lock or MORLock, was introduced to counteract cold boot attacks. This mechanism ensures that system memory is overwritten during the boot process, effectively erasing sensitive data that might otherwise be susceptible to unauthorized retrieval after an improper shutdown or reset. 

However, in 2018, researchers at F-Secure demonstrated a method to bypass existing mitigations against cold boot attacks by disabling the memory overwriting process. This allowed them to extract sensitive data like encryption keys from nearly all modern computers. Furthermore, a study by Halderman et al. found that cooling DRAM chips to approximately -50°C allowed data to persist for several minutes with minimal degradation. Another study indicated that when DRAM is cooled with liquid nitrogen, data could persist for up to a week without refresh. 

Also, specialized devices such as specialized devices such as Field Programmable Gate Arrays (FPGAs) can be used to extract data directly from RAM modules. These compact devices allow attackers to execute attacks without the need to transport an entire computer system, enhancing the attack's portability and stealth. Canadian researchers took this one step further in 2023 creating a robot that could execute Cold Boot attacks. At REcon 2023, researchers from Red Balloon Security unveiled a low-cost cryo-mechanical robot capable of extracting live RAM contents from modern embedded devices by cooling and desoldering non-removable DDR chips with high precision.

How to Prevent Cold Boot RAM Extraction

It’s particularly dangerous because it can defeat full disk encryption solutions like BitLocker, LUKS, and FileVault by harvesting decryption keys still present in RAM. Here are some key security controls to consider for preventing cold boot attacks:

• Shut down completely: Avoid using sleep or hibernate modes to protect unattended systems when security is a critical concern. A full shutdown clears encryption keys from memory and prevents cold boot attacks.

• Enable memory encryption: Use CPUs that support memory encryption technologies such as AMD Secure Memory Encryption (SME) and Intel Total Memory Encryption (TME)

• Use BitLocker with PIN and TPM: Ensure encryption keys are not automatically loaded into RAM during boot. Using a PIN code or requiring the full drive encryption password to be entered each time a computer boots will reduce the risk that encryption keys are exposed to cold boot attacks during unauthorized reboots.

• Physically secure the device: Lock your system or keep it with you—never leave it unattended in unsecured environments. Desktops are especially vulnerable to being physically opened and having their RAM exposed. Some computer cases support chassis locking mechanisms or chassis intrusion switches to prevent physical attacks. 

• Disable DMA-capable ports: In BIOS/UEFI, disable FireWire/Thunderbolt or use IOMMU to prevent Direct Memory Access (DMA) attacks via external devices.

What is an Evil Maid Attack?

Evil Maid attack is a physical access attack that tampers with a device while it’s left unattended. It’s a common technique in scenarios where a laptop is left unattended, like hotel rooms or shared office spaces. The goal is typically to steal sensitive information or install malware. The attack may involve dropping files directly into the victim's unprotected hard-drive, but may also involve manipulating firmware, BIOS, or the bootloader. These attacks most often target high-value individuals such as journalists, executives, and government officials, especially during travel or in shared office environments.

First an adversary with physical access reboots a device using a bootable USB stick loaded with a live operating system (such as Kali Linux). This bypasses the installed OS and allows the attacker to mount the target system's hard-drive. If the proper security measures are not in place to mitigate the Evil Maid threat, an attacker can directly access the target system's hard drive, copy sensitive files, extract cached credentials, or even install malware. For example, if the system’s disk is not encrypted, or if encryption keys are accessible on the device's hard drive, this method can fully compromise data confidentiality.

In a sophisticated variation of this attack, a device can be completely replaced with an identical rouge device. When the user enters their password, the malicious system can relay the password to the attackers, who can use it to access the stolen device. In another less sophisticated version of the Evil Maid, attackers can plug in a USB Kill Stick, which delivers rapid high-voltage pulses through the USB port to physically destroy the computer’s internal components. In other cases, the USB Kill Stick may be used to disable IoT devices or security devices such as smart locks or surveillance cameras.

Variants of the Evil Maid attack include:

• Malware injection into unencrypted bootloaders

• BIOS/firmware tampering to capture credentials

• Direct memory access (DMA) attacks via ports like Thunderbolt

• Binary replacement to poison common executable files

• Altering configuration files to reduce device security

• Swapping the original device with an identical but compromised one

• Device destroying attacks using a USB Kill Stick

How to Prevent Evil Maid Attacks

Here are some key security controls to consider for preventing cold boot live USB attacks:

• Use full disk encryption: Tools like BitLocker, FileVault, or LUKS ensure that booting from an external OS won’t expose the data.

• Disable external boot options: In BIOS/UEFI, disable USB, CD/DVD, and network boot unless explicitly needed.

• Enable Secure Boot: Allows only trusted and signed bootloaders to launch.

• Set a BIOS/UEFI password: This can further prevent unauthorized users from changing the boot order or other boot settings.

• Physically secure the device: Keep your laptop with you or use locking mechanisms and tamper-evident seals to detect unauthorized access.

• Employ Traditional Malware Detection: Use antivirus or antimalware solutions to conduct full file system scans. This helps detect malware that may have bypassed perimeter or real-time scanning points, especially following physical access scenarios.

• Employ Endpoint Detection and Response (EDR):  EDR platforms can monitor file integrity, detect system tampering, and log suspicious behavior—such as unusual modifications to critical system files or boot configurations—making it more likely you’ll spot a successful evil maid attack.

Another trick mentioned on the SANS Internet Storm Center blog is to reboot to the Full Disk Encryption (FDE) password prompt and enter a partial (incomplete) password entry. On return, you can verify that no tampering has occurred by entering the rest of the password. Unfortunately, this simple trick doesn’t work with BitLocker.

Conclusion

Cold boot attacks and evil maid attacks are distinct threats that exploit physical access to a device. Cold boot attacks target residual data in RAM or bypass OS protections via live USBs. Evil maid attacks focus on stealthy tampering, often aiming for future compromise. Defending against both requires layered controls—encryption, boot protection, physical security, and threat detection.