Published: Fri, September 14, 2018
Industry | By Terrell Bush

New 'Cold Boot' Attack Unlocks Mac, PC Disk Encryption

New 'Cold Boot' Attack Unlocks Mac, PC Disk Encryption

These have been around since 2008, and occur when an attacker forces a computer reboot and then steals any data that remains in the RAM.

Finnish cyber-security company F-Secure have discovered a flaw with almost all modern desktops and latops that allow hackers to potentially steal sensitive information from your locked devices.

According to the F-Secure Principal Security Consultant Olle Segerdahl, who is involved in the research, "It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out".

Trusted Computing Group, a consortium formed by AMD, Hewlett-Packard, IBM, Intel, and Microsoft, chose to protect computers against this threat vector by overwriting RAM contents when the power came back. Shutting your computer all the way off is still the best defense. Either method will cut off the power and clear the memory. Perhaps the one saving grace here is that someone needs to have physical access to your computer and enough time to take it apart in order to steal any data. Macs with T2 chips - on iMac Pros and 2018 MacBook Pros - are immune to this attack, and Apple recommends that users of other Macs set a BIOS PIN to prevent unauthorized motherboard-firmware changes. "And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly purchased by attackers, it's the kind of thing an attacker will have plenty of time to execute", said Segerdahl.

He added that it is not practical on easy targets, but it would be on an attacker's list of options for a "bigger phish, like a bank or large enterprise". You can see how this works in the video F-Secure produced below demonstrating the attack on real hardware.

HyunA and E’dawn kicked out of Cube Entertainment
When managing our artists, the company has worked with faith and trust in each other as the main priority . We plan to do our best to incorporate the artists' views before making the final decision.

An attacker grabs the laptop, takes it to another desk, removes the battery, pops the lid and sprays the RAM modules with compressed air, freezing them. After that, the attacker can boot from an external device to read the contents of the system's RAM from before the device went to sleep.

The technique can steal the data in the computer memory, including hard drive encryption keys. The researchers presented their findings at a conference in Sweden recently, and will present it again at Microsoft's security conference on September 27. Apple has reportedly stated that the T2 Chip used in its Mac units already contains security measures to counter cold boot attacks.

The two researchers presented the attack today at SEC-T security conference, where they explained the technical details and methods to bypass security implementations, such as booting a USB stick on systems that have Secure Boot enabled. For example, restoring power to a powered-down machine will erase the contents of RAM.

F-Secure says that laptops from Apple, Dell and Lenovo are vulnerable to the modified attack, and said it's notified Microsoft, Intel and Apple about the problem so they can get to work on a fix.

Like this: