1. Field of the Invention
The invention relates to a method for defending against cold-boot attacks on a computer in a self-service terminal. In addition, the present invention relates to a self-service terminal, in particular an ATM machine, including a computer which is equipped for carrying out the method.
2. Description of the Related Art
Self-service terminals, in particular ATM machines, are frequently subject to manipulation attempts and other criminal acts which, among other things, have the goal of manipulating the operation of the self-service terminal and/or obtaining sensitive data such as account and customer data. The focus is on the computer which is integrated into self-service terminals, which is often implemented using a personal computer having specialized application software. Such a self-service terminal is, for example, described in DE 10 2009 018 320 A1, the personal computer used there also being referred to as a data processing unit or computer.
In the field of personal computers, also called PCs for short, many methods are known via which criminals obtain unauthorized access to the PC. In this context, so-called cold-boot attacks or cold-start attacks may be mentioned. The basis of a cold-boot attack is that, after restarting the computer or shutting down the computer, the memory content of the main memory remains in the memory for a certain period of time, although, for example, an external voltage is no longer present. During this period of time, an attacker may use specialized software to read out the memory content completely and thus gain knowledge about sensitive data such as cryptographic keys or transaction data. The period of time is a direct function of the ambient temperature. By drastically lowering the temperature, for example, by spraying the memory with liquid oxygen, the attacker can extend the available period of time up to the minute range.
Until recently, it was assumed that such attacks are practically impossible under real conditions due to the relatively short period of time. However, such attacks and their feasibility are documented in the article ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’ by J. Alex Halderman et al., which was published in ‘Proc. 2008 USENIX Security Symposium’.
The Internet encyclopedia ‘Wikipedia’ (see http://de.wikipedia.org/wiki/Kaltstartattacke) describes the general principle of a ‘cold-start attack’ and countermeasures. For example, the BIOS, i.e., the system software controlling the system startup (boot), is supposed to clear the random access memory during the so-called ‘power-on self-test’ (POST for short). However, this countermeasure is not a reliable approach which would be applicable in the field of self-service terminals. This is because POST does not securely and completely clear the random access memory; POST may be switched off; POST may possibly be interrupted or skipped; and POST involves a considerable delay of all restarts.
US 2012/0 079 593 A1 describes a system and a method for hindering cold-boot attacks, which focuses on mobile terminals such as mobile telephones or laptops. To defend against cold-boot attacks, it is described there (see text [0009] and claim 3) to monitor the temperature of the memory components and to check whether the temperature is below a threshold value, in order to determine whether or not an attack is taking place.
U.S. Pat. No. 8,331,189 B1 describes a DRAM memory module which is secured against cold-boot attacks. For this purpose, a circuit (‘tamper detection circuit’) is described, which detects an attack and then initiates clearing of the DRAM memory module by means of another circuit (‘scrubbing circuit’). It is not described there which criterion is to be used to determine the attack. Reference is merely made (see column 1, lines 14 ff.) to the article in question ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’ by J. Alex Halderman et al.
The object of the present invention is to provide a method for defending against cold-boot attacks which may be used in the field of self-service terminals and which overcomes the initially specified disadvantages of the prior art. In particular, cold-boot attacks are to be effectively and reliably repelled on computers in self-service terminals without having to accept a noticeable delay of all restarts.