Cold boot attack leaves Apple and Microsoft systems vulnerable to data theft
Researchers at cyber security company F-Secure have discovered a weakness in modern computers' firmware that attackers can use to steal encryption keys and other sensitive information.
Physical access to the computer is needed to exploit the weakness, but once an attacker has gained this they can successfully perform the attack in around five minutes.
"Typically, organizations aren’t prepared to protect themselves from an attacker that has physical possession of a company computer," says F-Secure's principal security consultant Olle Segerdahl. "And when you have a security issue found in devices from major PC vendors, like the weakness my team has learned to exploit, you need to assume that a lot of companies have a weak link in their security that they’re not fully aware of or prepared to deal with."
The weakness allows attackers to perform a cold boot attack, something that was first seen in 2008. Cold boot attacks involve rebooting a computer without following a proper shutdown process, then recovering data that remains briefly accessible in the RAM after the power is lost.
Modern laptops overwrite RAM specifically to prevent attackers from using this method to steal data. However, Segerdahl and his team have discovered a way to disable the overwrite process and revive the decade-old cold boot attack method.
"Because this attack works against the kind of laptops used by companies there’s no reliable way for organizations to know their data is safe if a computer goes missing. And since 99 percent of company laptops will contain things like access credentials for corporate networks, it gives attackers a consistent, reliable way to compromise corporate targets," adds Segerdahl. "There's no easy fix for this issue either, so it's a risk that companies are going to have to address on their own."
The research has been shared with Intel, Microsoft and Apple to help the industry improve the security of current and future products. Since there seems unlikely to be a quick fix, however, companies are advised to take some preventive measures. One approach is to configure laptops to automatically shut down or hibernate instead of entering sleep mode and require users to enter the Bitlocker PIN each time Windows boots up or restores. Educating staff, especially executives and employees who travel, about cold boot attacks and similar threats is also important. IT departments should have an incident response plan ready to deal with laptops that go missing.