New cold boot attack leaves 'nearly all modern computers' vulnerable to data theft

• Cold boot attacks have been known since 2008 typically require physical access and special hardware tools to be carried out.
• F-Secure researchers said there is "no easy fix" for this issue.

Security researchers have discovered a vulnerability in nearly all modern computers that could allow hackers to potentially steal sensitive information from locked devices in about five minutes. According to F-Secure researchers, the new exploit is a variation of the traditional cold boot attack wherein an attacker forces a computer reset or reboot before stealing data that briefly remains in the RAM after the device loses power.

Cold boot attacks have been known since 2008 typically require physical access and special hardware tools to be carried out.

Most modern computers have a safety measure that removes data stored on RAM to prevent hackers from stealing sensitive information via cold boot attacks. However, F-Secure principal security consultant Olle Segerdahl and other researchers have discovered a way to disable that safety measure by modifying firmware settings and stealing data from RAM after a cold reboot.

“Typically, organizations aren’t prepared to protect themselves from an attacker that has physical possession of a company computer. And when you have a security issue found in devices from major PC vendors, like the weakness my team has learned to exploit, you need to assume that a lot of companies have a weak link in their security that they’re not fully aware of or prepared to deal with,” Segerdahl said in a statement.

The new cold boot attack variant exploits firmware settings that manage boot process behavior which are not protected against manipulation by a physical attacker. The attacker could use a hardware tool to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting and enable booting from external devices using a program stored on a USB stick.

“It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested. And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute."

Researchers noted that attackers will not likely use this against smaller, easy targets, but larger organizations such as banks or major enterprises. Nearly all modern computers are vulnerable to the new attack, they added, regardless of whether data is protected by BitLocker and FileVault.

Segerdahl said there is "no easy fix" for this issue, adding that "companies are going to have to address this on their own. The researchers have already notified Microsoft, Apple and Intel of their findings.

Microsoft responded by updating its BitLocker guidance.

"This technique requires physical access," Jeff Jones, a senior director at Microsoft, said in a statement. "To protect sensitive info, at a minimum, we recommend using a device with a discreet Trusted Platform Module (TPM), disabling sleep/hibernation and configuring BitLocker with a Personal Identification Number (PIN)."

Apple said all devices using a T2 chip are not vulnerable to such an attack.

F-Secure has recommended users configure their laptops to automatically shut down or hibernate, rather than have it enter sleep mode when they close the screen. They also suggested that devices be configured to enter the Bitlocker PIN anytime the system boots up or restores. Executives and employees must also be trained about these attacks while organizations should have effective and updated incident response plan to deal with missing or stolen laptops.

“A quick response that invalidates access credentials will make stolen laptops less valuable to attackers. IT security and incident response teams should rehearse this scenario and make sure that the company’s workforce knows to notify IT immediately if a device is lost or stolen,” Segerdahl said. “Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case.”