Secure Says Nearly All Modern Computers Vulnerable to Cold Boot Attacks

Joanna Estrada
September 14, 2018

Trusted Computing Group, a consortium formed by AMD, Hewlett-Packard, IBM, Intel, and Microsoft, made a decision to protect computers against this threat vector by overwriting RAM contents when the power came back.

Known for its volatility in data retention when out of power, RAM (Random Access Memory) can preserve information for a longer time - even minutes, under low-temperature conditions.

But F-Secure principal security consultant Olle Segerdahl, along with other researchers from the security outfit, claim they've discovered a way to disable that safety measure and extract data using the ten-year-old cold boot attack method.

Ordinary computer users don't need to worry about this attack.

In the meantime, he recommends companies prepare themselves for these attacks. "And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly purchased by attackers, it's the kind of thing an attacker will have plenty of time to execute", said Segerdahl. "But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use".

Look at that laptop over there, lid closed and sleeping soundly.

In the case of BitLocker, if it is configured for pre-boot authentication with a PIN, the attack has only one shot to be successful because the code is mandatory for extracting the encryption keys into the RAM.

You can see the process in the video below.

The attacker then plugs in a USB stick containing a Linux operating system and boots the machine from that. Because encryption keys aren't stored in memory that way. From there, it's as easy as using those keys to access all the files.

F-Secure's researchers presented their findings at a conference in Sweden on Thursday, and are set to present it again at Microsoft's security conference on September 27. Apple has reportedly stated that the T2 Chip used in its Mac units already contains security measures to counter cold boot attacks.

They can either reboot the machine immediately from an external disk, or they can take it apart and literally freeze its memory modules with liquid nitrogen or compressed-air dust sprayers to keep the volatile electrical signals on the RAM modules from changing.

When in sleep mode, the computer state is saved in RAM, which runs in a minimum power state to hold the data.

"It takes some extra steps compared to the classic cold boot attack", Segerdahl told TechCrunch's Zack Whittaker, "but it's effective against all the modern laptops we've tested". Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot. He said that they had notified Intel, Microsoft, and Apple about his team's discovery and are working with these companies to provide better guidance to users and improve the security of current and future products. Apple has also asked users to set a firmware password for Mac devices that come without a T2 chip.

Other reports by Click Lancashire

Discuss This Article