Organisations at risk from data loss through "Cold Boot" attacks

News by Rene Millman

Security researchers have found flaws in most computers that would enable hackers to steal sensitive data and encryption keys.

Security researchers have found flaws in most computers that would enable hackers to steal sensitive data and encryption keys.

According to a blog post by researchers at F-Secure, a weakness in a system’s firmware exposes encryption keys that allow a cyber-attacker to steal sensitive data.

Discovered by F-Secure principal security consultant Olle Segerdahl, and cyber-security consultant Pasi Saarinen, this method will work against nearly all modern computers. This includes laptops from some of the world’s biggest vendors like Dell, Lenovo, and even Apple.

The so-called "Cold Boot" attacks aren’t new, they were developed by a research group back in 2008 that discovered that when a computer is reset without following proper procedures (what’s known as a cold/hard reboot), they could steal information that briefly remains in the memory (RAM) after the device loses power.

While efforts to overcome this have been largely successful, (such as ones by the Trusted Computing Group (TCG) where RAM contents are overwritten when power is restored), the researchers discovered a way to disable this overwrite feature by physically manipulating the computer’s hardware. 

The researchers learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.

"Typically, organisations aren’t prepared to protect themselves from an attacker that has physical possession of a company computer. And when you have a security issue found in devices from major PC vendors, like the weakness my team has learned to exploit, you need to assume that a lot of companies have a weak link in their security that they’re not fully aware of or prepared to deal with," said Segerdahl.

"It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested. And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute," he added.

Segerdahl said that as this attack works against the kind of laptops used by companies there’s no reliable way for organisations to know their data is safe if a computer goes missing. And since 99 percent of company laptops will contain things like access credentials for corporate networks, it gives attackers a consistent, reliable way to compromise corporate targets.

"There’s no easy fix for this issue either, so it’s a risk that companies are going to have to address on their own," he warned.

Segerdahl has shared his team’s research with Intel, Microsoft and Apple to help the PC industry improve the security of current and future products.

Richard Lush, vice president consulting and head of Cyber Operational Security at CGI UK, told SC Media UK that guidance for laptop users to combat a cold boot attack is to ensure that disk encryption is enabled, and the machine has fully patched operating systems with up to date anti-malware.

"It is also essential to understand the physical security of your device and perform a full shutdown or hibernate your device, rather than just putting it to sleep.

Paul Ducklin, Senior Technologist at Sophos, told SC Media UK that users should get in the habit of actually shutting down and powering off their laptop every time they set off home.

"When you are ready to resume work, just boot it up again. It is rather annoying at first, but you soon get used to it - and it feels a lot safer, because it *is* a lot safer. It empties out the contents of RAM, it gets you in the habit of saving and closing open files regularly, and it means you get used to shutting down apps and actually logging out from online services," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event