A new Cold Boot hardware attack technique has been discovered by security researchers at Finnish cyber-security firm F-Secure. It is revealed that even with full disk encryption it is possible to steal passwords, encryption keys and other sensitive information stored on most modern computers.
The new attack is an adaptation of the traditional Cold Boot Attack, which has been there since 2008 and permits the attackers to steal information that remains in the RAM after the computer is shut down.
In order to reduce the effect of the cold boot attacks, most modern computers come stacked with a safeguard, that overwrites the contents of the RAM when the power on the device is restored thereby preventing the data from being read.
The researchers have found a new way to disable this overwrite security measure by physically manipulating the computer’s firmware, allowing the attackers to recover sensitive data stored on the computer after a cold reboot in a matter of few minutes.
Cold boot attack is a popular method of getting the encryption keys from devices. But they can also get all kinds of information by using these attacks and so passwords and any data stored on the machine are at risk.
By using a simple tool, the researchers managed to rewrite the non-volatile memory chip that contains the memory overwrite settings, disable it, and then enable booting from external devices. Take a look at the video showing the Demonstration of the New Cold Boot Attack.
Similar to the traditional cold boot attack, the new attack also needs physical access to the target device and also the correct tools to recover remaining data in the computer’s memory.
According to one of the researchers, F-Secure principal security consultant Olle Segerdahl, “It’s not exactly easy to do, but it is not a hard-enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out. It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”
The researchers believe that the new attack technique will be effective against nearly all modern computers and even Apple Macs and can’t be patched easily and quickly.
They have already shared their findings with Microsoft, Intel, and Apple, and helped them explore possible mitigation strategies.
Microsoft updated its guidance on Bitlocker countermeasures in response to the F-Secure’s findings, while Apple said that its Mac devices equipped with an Apple T2 Chip contain security measures designed to protect its users against this attack. And for those Mac computers without the latest T2 chip, the users have to set a firmware password to strengthen the security of their computers. Intel has not commented regarding the issue.
The researchers mention that even though there is no reliable way to prevent or block the cold boot attack once an efficient attacker gets their hands on a laptop but the companies can configure their devices so that attackers won’t find anything worth to steal.
They recommend the IT departments to configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their PCs.
Even then the attackers can conduct a cold boot attack against computers configured like this, but since the encryption keys are not stored in the memory when a machine hibernates or shuts down, there will not be any valuable information for them to steal.
The F-Secure team have presented their findings at the Sec-T conference held at Stockholm. Their presentation has been published on YouTube.