I edited my post -- *more* vulnerable. You have to agree that access to a machine in less than 10 seconds is a lot less cumbersome than a "cold boot scan."
That cold boot scan is interesting, btw.. Do hackers have to remove the RAM and place them in a different box or just boot off their own software to access it?
edit: nm, the attack is typically performed with a USB boot drive.
edit2: and for the record, I never wanted thunderbolt
That depends on the system you're targeting.
If there is a firmware/BIOS password, then obviously you can't reboot the machine and/or you can't select an alternative boot device- so you'll have to pull the RAM and stick it in another machine. That tends to take time, so you might want to consider chilling the RAM first.
If there isn't, then it seems to be a bit of a crapshoot whether or not the RAM will survive a reboot. Usually that depends on how long the machine takes to reboot and/or how long your recovery image takes to boot.
Personally, I've had good to excellent success dumping the RAM of the older MacBook Pro units (aluminum, not unibody) without removing the RAM (no firmware password though). The newer Unibody systems seem a bit more tweaky and sometimes I can't get a good dump. At the time I wasn't being paid to figure out why, only to figure out if it was even remotely possible (which it is)- so I never really investigated this further.
A long time ago, I worked for an employer who had a bunch of old and busted Thinkpad systems. We used to dismantle them on our spare time and reassemble complete working computers, which were then used for general mucking about and all sorts of zany stuff. When the cold boot attack papers were published around 2008, we took several of those systems and did a whole bunch of tests just to see how long we could leave the RAM before the contents would be lost or unpredictably damaged. Our record was ~2 minutes without chilling, and 34 minutes with chilled (read: borderline frozen solid) RAM. The biggest issue we had with the chilled RAM was not freezing the SODIMM contacts and shorting out the machine- once the RAM was cold, you basically had to keep it cold and work fast. As soon as it started to heat up you'd get condensation which would typically short out the socket and cause the machine to hang or power down.
I think this is probably scarier for Macbook users who don't turn off their computers and expect the password screen and filevault to save them.
In fact, a smart dongle may be able to even unlock a locked Mac and let the hacker do whatever. With full memory access, a dongle could read and write anything directly to the RAM.
Does it matter for the 99.999%?
People who have stuff to protect should realize that security is a process, not a product.
My workstations don't have anything more then some personal emails, music, family photos, etc. Would it suck if someone broke into my machines? Probably, but I'm not going to fret about that very much.
The data I cannot afford to lose (source code, digital certificates, encryption key pairs, etc) reside on a pair of Data Locker 3 disk drives (
http://datalocker.com/products/datalocker-dl3.html). These live in a giant safe sitting in my basement (a proper safe with a glass relocker- not one of those "fire proof" things you buy at Home Depot) when I'm not using them. I have a whole routine I go through every working day from start to finish. I know my data is secure to the point that there is literally nothing else I could have done to protect it, **if** someone actually had the resources to crack my safe and dismantle the drive controller PCBs and somehow retrieve the AES crypto key from the EEPROMs.
I just think that if all you have is a lock screen or FileVault, then your data can't be that important. I know people will scream "OMG BUT MAH FAMILY PHOTOS R PRICELESS111" at me for saying that, but it's true. Nobody cares about your family photos. If you have data that is actually worth money, protect it properly. Don't rely on a giant mega-corporation to do their jobs and write secure code when they're trying to worry about a bazillion other things concurrently.
-SC
