Cybersecurity major F-Secure have discovered a weakness in modern computers that attackers can use to steal encryption keys and other sensitive information. The discovery has compelled the researchers to warn PC vendors such as Intel, Microsoft and Apple to help the PC industry improve the security of current and future products.
Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.
According to F-Secure Principal Security Consultant Olle Segerdahl says once achieved, an adversary can successfully perform the attack in about 5 minutes. Modern laptops now overwrite RAM specifically to prevent attackers from using cold boot attacks to steal data. However, Segerdahl and his team discovered a way to disable the overwrite process and re-enable the decade old cold boot attack.
“Typically, organizations aren’t prepared to protect themselves from an attacker that has physical possession of a company computer. And when you have a security issue found in devices from major PC vendors, like the weakness my team has learned to exploit, you need to assume that a lot of companies have a weak link in their security that they’re not fully aware of or prepared to deal with,” said Segerdahl.
The weakness allows attackers with physical access to a computer to perform a cold boot attack – an attack that’s been known to hackers since 2008. Cold boot attacks involve rebooting a computer without following a proper shutdown process, then recovering data that remains briefly accessible in the RAM after the power is lost.
“Because this attack works against the kind of laptops used by companies there’s no reliable way for organizations to know their data is safe if a computer goes missing. And since 99 percent of company laptops will contain things like access credentials for corporate networks, it gives attackers a consistent, reliable way to compromise corporate targets,” said Segerdahl. “There’s no easy fix for this issue either, so it’s a risk that companies are going to have to address on their own.”
As the researcher doesn’t expect an immediate fix from the industry anytime soon, he recommends companies prepare themselves for these attacks.
One way is to configure laptops to automatically shut down/hibernate instead of enter sleep mode and require users to enter the Bitlocker PIN anytime Windows boots up or restores. Educating workers, especially executives and employees who travel, about cold boot attacks and similar threats is also important. And IT departments should have an incident response plan ready to deal with laptops that go missing.