F-Secure researchers have developed a new tool to carry out cold boot attacks which could allow attackers to steal encryption keys and other sensitive information from devices left in sleep mode.
The firm’s Principal Security Consultant Olle Segerdahl and his fellow cybersecurity consultant Pasi Saarinen developed an attack to bypass BIOS mitigations by exploiting a weakness in how computers protect firmware on Apple, Dell, Lenovo and all other models made in the last 10 years, according to a Sept. 13 blog post.
This is because when a computer is reset without the proper procedure, critical information remains in the random access memory (RAM) after the device loses power. Their attack also bypasses some existing mitigations for cold-boot attacks on laptops.
“The two experts figured out a way to disable this overwrite feature by physically manipulating the computer’s hardware,” the post said. “Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.”
Segerdahl referred to sleep mode as “vulnerable mode” as an attacker with physical access to the device can simply manipulate the firmware settings and perform a cold reboot into the USB in order to obtain the encryption keys from memory.
Fortunately, the attacks aren’t simple to carry out and do require physical access in order to do however, researchers recommend that since the technique is known by hackers and is effective on nearly all modern laptops, companies should still take heed.
In order to prevent such threats, researchers recommend companies require cybersecurity PIN entry on computer restore and power ups, force computers to shutdown/hibernate, keep laptops physically safe and report missing devices, and have incident response plans in place for dealing with missing devices.
“Typically, organizations aren’t prepared to protect themselves from an attacker that has physical possession of a company computer,” Segerdahl said in a press release. “And when you have a security issue found in devices from major PC vendors, like the weakness my team has learned to exploit, you need to assume that a lot of companies have a weak link in their security that they’re not fully aware of or prepared to deal with.”
The researchers have shared their findings with Microsoft, Intel, and Apple and said all three companies are exploring possible mitigation strategies.
The researchers also helped Microsoft update their guidance on Bitlocker countermeasures.