Published: Fri, September 14, 2018
Tech | By

Cold boot attack leaves Apple and Microsoft systems vulnerable to data theft

Cold boot attack leaves Apple and Microsoft systems vulnerable to data theft

Trusted Computing Group, a consortium formed by AMD, Hewlett-Packard, IBM, Intel, and Microsoft, chose to protect computers against this threat vector by overwriting RAM contents when the power came back. Either method will cut off the power and clear the memory. At the same time, Microsoft, Apple, and Intel are working on new ways to stop this attack from being possible, with Apple stating the T2 Chip used in its new laptops already contains security measures to counter cold boot attacks.

Ordinary computer users don't need to worry about this attack. Macs with T2 chips - on iMac Pros and 2018 MacBook Pros - are immune to this attack, and Apple recommends that users of other Macs set a BIOS PIN to prevent unauthorized motherboard-firmware changes. But it could be a problem for corporate executives and government officials, whose encrypted computers often contain highly valuable information.

"It's not exactly the kind of thing that attackers looking for easy targets will use", Segerdahl said.

"It's the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use", he added. He then closes the lid of a laptop, putting it in sleep mode, and walks away.

In the case of BitLocker, if it is configured for pre-boot authentication with a PIN, the attack has only one shot to be successful because the code is mandatory for extracting the encryption keys into the RAM.

"The attack exploits the fact that the firmware settings governing the behaviour of the boot process are not protected against manipulation by a physical attacker", F-Secure wrote in a blog post. After that, the attacker can boot from an external device to read the contents of the system's RAM from before the device went to sleep. Because encryption keys aren't stored in memory that way.

The attack, which is presented today at a security conference, is a variation of old cold boot attacks, known for almost a decade.

Cold-boot attacks were first developed a decade ago, and computer manufacturers now include a memory-overwrite process that, in theory, thwarts any memory-access attempt.

The two researchers presented the attack today at SEC-T security conference, where they explained the technical details and methods to bypass security implementations, such as booting a USB stick on systems that have Secure Boot enabled.

"It takes some extra steps compared to the classic cold boot attack", Segerdahl told TechCrunch's Zack Whittaker, "but it's effective against all the modern laptops we've tested".

Cold boot attacks have been around since 2008 and involve stealing information stored on a computer that hasn't been shutdown properly, or left in a vulnerable sleeping state.

As reported by ZDNet, F-Secure's findings say that contemporary security measures are enough to prevent the theft caused by the new flaw.

Apple responded by pointing to the latest generation of Macs, which have the T2 chip that do the encryption separately from the CPU and makes such an attack more hard to execute.

Like this: