A team of experts from cybersecurity firm F-Secure has discovered security flaws affecting firmware in modern computers that could be exploited by hackers to carry out cold boot attacks and recover sensitive data from the memory of the affected machines.
The attack devised by Olle Segerdahl and Pasi Saarinen leverages physical changes to the target hardware.
A cold boot attack is a type of side channel attack that allows an attacker with physical access to the target system to retrieve sensitive data (i.e. encryption keys, passwords) from a running operating system after using a cold reboot to restart the machine.
“Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk,” reads the blog post published by the experts.
The attack is possible because the data can remain in memory for a variable time and an attacker can retrieve them by accessing the memory after a cold reboot. The permanence of data in memory could be extended up to hours by cooling memory modules.
Experts from F-Secure discovered vulnerabilities affecting computers from several major vendors, including Dell, Lenovo, and Apple.
The bad news is that it is impossible to fix such flaws in the affected machines.
The experts at F-Secure demonstrated that hardware changes could be exploited by an attacker to disable the feature that overwrites memory after a reboot, and configure the computer to boot from an external device.
“The two experts figured out a way to disable this overwrite feature by physically manipulating the computer’s hardware.” continues the blog post.
“Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.”
The experts demonstrated that it is possible to carry out the attack using a specially crafted USB device that contains the code to dump the content of the pre-boot memory to a file.
The security duo speculates that the attack can be effective against nearly all modern laptops.
“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” Segerdahl explained. “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”
A possible mitigation consists of configuring devices to shut down or hibernate instead of sleeping when they’re not used. Windows users have to configure BitLocker that asks for a PIN whenever the computers power up.
Even implementing these measures, an attacker could still perform a cold boot attack but cannot access encryption keys because they aren’t stored in the RAM when a machine hibernates or shuts down. This means that here’s no valuable info for an attacker to access.
“A quick response that invalidates access credentials will make stolen laptops less valuable to attackers. IT security and incident response teams should rehearse this scenario and make sure that the company’s workforce knows to notify IT immediately if a device is lost or stolen,” said Segerdahl. “Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case.” concludes the experts.