It’s 2008 all over again as researchers have found a way to leverage cold boot attacks against modern computers to steal sensitive data from lost or stolen devices.
Olle Segerdahl and Pasi Saarinen, security consultants for F-Secure, developed the new cold boot attack method and claim it “will work against nearly all modern computers,” including both Windows and MacOS devices.
In classic cold boot attacks, threat actors could recover data stored in RAM after a computer was improperly shut down, but modern operating systems have mitigations against this by way of overwriting RAM. Segerdahl and Saarinen found a way to disable this feature.
“It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested,” Segerdahl said in a written press statement. “And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute.”
Segerdahl and Saarinen developed a tool that could re-write the mitigation settings in memory, which would disable memory overwriting and allow them to boot from an external device that could read the target system’s memory. The researchers said cold boot attacks like this could be used to steal sensitive data like credentials or even encryption keys held in memory.
“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” Segerdahl said in a statement. “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”
The @fsecure cold boot technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet TPM, disabling sleep/hibernation and configuring bitlocker with a PIN. #protect #coldboot pic.twitter.com/VagpcBjkTG
— Jeff Jones (@securityjones)
September 13, 2018
The researchers said cold boot attacks like this could provide a consistent way for threat actors to steal data because it works across platform. And although the researchers have shared their findings with Microsoft, Intel and Apple, mitigations are still a work in progress.
Apple claims that Macs with the T2 chip are immune to cold boot attacks — though this only includes the iMac Pro and 2018 MacBook Pro models — and suggested users with other Mac devices set a firmware password. Microsoft updated Bitlocker guidance to help users protect sensitive information.