You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

Hardware hackers bring cold boot attacks out of the deep freeze


Video If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system.

When computers are restarted, the motherboard firmware can wipe the RAM clean to remove any lingering data. It is possible to, while a stolen machine is still in sleep mode, reprogram the firmware's settings to disable this memory zero'ing, and then reboot it into a custom operating system on a USB stick or similar that then scans the RAM for any sensitive information. This information can be used to decrypt encrypted hard drives, and so on.

Whether or not it's easier than smacking the laptop owner with a two-by-four until they give up their login password is, well, an exercise left to our more sociopathic readers.

F-Secure's Olle Segerdahl and Pasi Saarinen this week detailed their memory-slurping technique, effectively bringing cold boot attacks out of the deep freeze from 2008 and putting them back into play. The pair reckon the approach will work against nearly all modern laptops, including Apple Macs.

The hack is tricky, though once mastered, it can be replicated on any purloined machine. Below is a video demo'ing the attack.

Youtube Video

F-Secure shared its research with Microsoft, Intel, and Apple. The security biz helped the Windows maker update its guidance on Bitlocker to mitigate against this type of data theft. According to Cupertino, Macs fitted with an Apple T2 chip are not at risk, and older machines can be protected by setting a firmware password.

“It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested. And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute,” explained Segerdahl, principal security consultant at F-Secure.

“A quick response that invalidates access credentials will make stolen laptops less valuable to attackers,“ he added.

F-Secure further advises companies to configure laptops so that hackers attempting this or similar variants of cold boot attacks will be left with nothing to steal:

Olle and Pasi recommend that IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their Bitlocker PIN whenever they power up or restore their computers. This is especially important for company executives (or other employees with access to sensitive info) and employees that travel (who are more likely to leave their laptops in hotel rooms, taxi cabs, restaurants, or airports).

An attacker could still perform a successful cold boot attack against machines configured like this. But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal.

Segerdahl and Saarinenare are due to present their research at the SEC-T conference in Sweden this week, and at Microsoft’s BlueHat v18 in the US on September 27. ®

Similar topics

Broader topics


Other stories you might like

  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Crypto sleuths pin $100 million Harmony theft on Lazarus Group
    Elliptic points to several indicators that suggest the North Korea-linked gang was behind the hack

    Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.

    Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.

    According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022