New cold boot attack affects 'nearly all modern computers'

Security researchers find a new way to disable current cold boot attack firmware security measures to steal sensitive data from high-value computers.

Security researchers will detail today a new variation of a cold boot attack that can meddle with a computer's firmware to disable security measures and allow an attacker to recover sensitive data stored on that computer, such as passwords, corporate files, and more.

The attack, which is presented today at a security conference, is a variation of old cold boot attacks, known for nearly a decade.

Also: 7 tips for SMBs to improve data security TechRepublic

Cold boot attacks are when an attacker forces a computer reset/reboot and then steals any data left over in the RAM.

All cold boot attacks require physical access and special hardware tooling to perform, and are generally not considered a threat vector for normal users, but only for computers storing highly-sensitive information, or for high-value individuals such as government officials or businessmen.

f-secure-cold-boot.png

Over the years, OS makers and hardware vendors have shipped various security measures to reduce the impact of cold boot attacks, even if they happen. One of these protections was that computers would overwrite the contents of the RAM when power was restored after a cold boot.

Also: Vulnerabilities found in the remote management interface of Supermicro servers

But security researchers from Finnish cyber-security firm F-Secure discovered that they could disable this feature by modifying firmware settings and steal data from a computer's RAM after a cold reboot.

Also: Best Home Security Devices for 2018 CNET

Just like all previous cold boot attacks, their method requires physical access and a special tool to extract leftover RAM. A video of one of the researchers performing their variant of the attack is embedded below.

"It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out," said F-Secure Principal Security Consultant Olle Segerdahl, one of the researchers.

"It's not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use," he added.

Also: OpenSSL 1.1.1 out with TLS 1.3 support and "complete rewrite" of RNG component

The two researchers say this method will work against nearly all modern computers. They have already notified Microsoft, Intel, and Apple of their findings.

Microsoft responded by updating its BitLocker guidance while Apple said that all devices using a T2 chip are not vulnerable.

In the meantime, Olle and Pasi recommend that system administrators and IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their computers.

The two say cold boot attacks --such as their variation-- will continue to work, but by encrypting the hard drive via BitLocker or another similar system, this limits the amount of data an attacker can recover.

"Encryption keys aren't stored in the RAM when a machine hibernates or shuts down. So there's no valuable info for an attacker to steal," F-Secure said in a press release today.

UPDATE, September 14: The F-Secure team's presentation at the Sec-T conference has been published on YouTube. For more technical details about the attack, check one hour and 30 minutes into the below video.

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.