New 'Cold Boot' Attack Unlocks Mac, PC Disk Encryption

Chilling reality of cold boot attacks

Chilling reality of cold boot attacks

If a hacker gains physical access to your laptop, then with the right tools even a fully-encrypted machine can be accessed and all the data stored on it stolen. According to the latest report, access to user data is obtained via a 2008-style cold boot attack, where hackers steal information briefly stored in RAM when a computer is restarted without "following proper procedures".

Consultants from cyber security provider F-Secure have discovered a weakness in modern computers that attackers can use to steal encryption keys and other sensitive information. Most modern computers overwrite RAM when they are powered down to prevent unauthorised access to data during a cold boot attack, but the researchers have found a way to disable the process. They claim to have found a firmware vulnerability that can potentially let hackers with physical access to a computer turn off data overwriting. You can see how this works in the video F-Secure produced below demonstrating the attack on real hardware.

Relying on computer memory's remanence behavior, security researchers figured out a way to extract sensitive data from RAM, such as encryption keys, even after the loss of power. This new variation on the attack works by manipulating the firmware settings, overwrites the non-volatile memory chip that triggers the RAM content to be flushed, and allows booting from an external drive such as a USB stick.

The two researchers say this method will work against almost all modern computers.

"It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out", Olle Segerdahl, one of the F-Secure researchers who developed the attack, said in a statement released this morning (Sept. 13). Sweden, and will be presented again September 27 at the BlueHat security conference on the Microsoft main campus in Redmond, Washington. He said that they had notified Intel, Microsoft, and Apple about his team's discovery and are working with these companies to provide better guidance to users and improve the security of current and future products. F-Secure's description of the attack seems intentionally vague on how exactly you modify the firmware security, but we are assured it's "simple".

F-Secure advises everyone to always either shut down or hibernate their laptop, never just place it in sleep mode. Apple has reportedly stated that the T2 Chip used in its Mac units already contains security measures to counter cold boot attacks.

In the meantime, Olle and Pasi recommend that system administrators and IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their computers.

Apple responded by pointing to the latest generation of Macs, which have the T2 chip that do the encryption separately from the CPU and makes such an attack more hard to execute.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.