The tech industry has known about cold boot attacks on computers since 2008. That was the year that a group of researchers showed that if a PC hadn’t been shut down properly or was put into a sleep state, it was possible for a person to steal data that was left in memory after the system loses power. Over the course of the past 10 years, safeguards have been put in place to defend against the threat.
In particular, the Trusted Computing Group created a way to ensure that the data in RAM is overwritten when the power to the computer is restored early in the boot process. The thinking was that the protections were enough to address the threats posed by cold boot attacks.
However, according to researchers at security solutions firm F-Secure, the door has not been shut on the vulnerability. In a recent blog post, the company outlined work done by F-Secure security consultants Olle Segerdahl and Pasi Saarinen had done showing a new way that hackers--if they get physical control over the computer--can still gain access to the information left in the memory.
According to Segerdahl and Saarinen, attackers can use a simple tool to manipulate the computer’s firmware settings to disable the overwriting of the memory and then run a normal cold boot attack. Essentially, as the computer reboots, it determines that it no longer needs to wipe the memory, so the hackers can boot from an external device like a USB stick and grab the information--including encryption keys--from RAM that was there before the computer was put into sleep mode. The hackers can get access to data such as passwords and credentials to the corporate network.
“According to [F-Secure’s] research, this method will work against nearly all modern computers,” company researchers wrote in the blog post. “This includes laptops from some of the world’s biggest vendors like Dell, Lenovo, and even Apple. And because these computers are everywhere, [Segerdahl] and [Saarinen] are sharing their research with companies like Microsoft, Apple and Intel, but also the public.”
Relatively Challenging Hack to Perform
With all that said, this isn’t the easiest hack to pull off. First, an attacker needs to get physical control of a computer that hasn’t been shut down properly. Then they need enough time with the system to run the hack. It can take minutes to do, according to the researches, though if a vulnerable laptop is lost or stolen, the criminals will have more time to do the work.
There have been steps taken to protect against the vulnerability found by F-Secure. Microsoft, Intel and Apple are all figuring out possible mitigations, according to the researchers. Microsoft engineers have updated its BitLocker configurations to address the threat, and Apple officials said Macs powered with the company’s T2 chip contain security features that protect the devices against the vulnerability. The company also suggests setting a firmware password to harden Macs that don’t have a T2 chip, according to F-Secure analysts.
The burden will eventually fall on manufacturers to enhance the security of PCs and Apple devices and on users to be smart about protecting the systems. Segerdahl and Saarinen recommend that organizations configure corporate computers to either shut down or hibernate – not go into sleep mode – and require employees to put in their BitLocker PIN when they power up or restore the system. IT staff also should let executives and workers know about the threat.
The huge numbers of corporate PCs and Macs vulnerable to the hack has garnered a lot of attention in both the industry and mainstream media. However, some in the industry reiterated the fact that in order to perform the cold-boot attack, hackers need to gain physical control of the device and that there are numerous other risks to PCs that can be done remotely.
“The basic security processes need to be followed: Secure your laptop at all times, and, when not in use or in your immediate possession, shut down the laptop,” said Joseph Kucic, chief security officer at security firm Cavirin. “There are various reasons not to leave a device in sleep mode when not in your possession, even if this threat did not reoccur.”
According to Chris Morales, head of security analytics at Vectra, which sells threat management solutions, this kind of attack isn’t impossible, but it’s not easy, particularly given all the variables involved, including have to physically control the device that is still in sleep mode and has the kinds of data and systems credentials that are important to attackers. It’s most likely to be used in a highly targeted attack in which the data couldn’t be stolen other ways.
Also, the type of information grabbed through this kind of attack is used to gain further access into the system, Morales told ITPro Today.
“The good news is that it is usually obvious when a system is stolen or no longer in the possession of the owner, which gives the owner and IT security time to respond,” he said. “A proper response should include the revocation of credentials and user access from that system. This works if the proper response policy is in place and users know to respond quickly to IT before potential access and compromise occurs.”
Rick Moy, chief marketing officer with cybersecurity vendor Acalvio, told ITPro Today that there are “numerous other more likely risks facing organizations today that can be carried out remotely with ease. And most organizations struggle to cover these bases as it is. As a user, physically securing your laptop is just as important as it was before. Perhaps this is a good reminder of that.”