Video If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system.
When computers are restarted, the motherboard firmware can wipe the RAM clean to remove any lingering data. It is possible to, while a stolen machine is still in sleep mode, reprogram the firmware's settings to disable this memory zero'ing, and then reboot it into a custom operating system on a USB stick or similar that then scans the RAM for any sensitive information. This information can be used to decrypt encrypted hard drives, and so on.
Whether or not it's easier than smacking the laptop owner with a two-by-four until they give up their login password is, well, an exercise left to our more sociopathic readers.
F-Secure's Olle Segerdahl and Pasi Saarinen this week detailed their memory-slurping technique, effectively bringing cold boot attacks out of the deep freeze from 2008 and putting them back into play. The pair reckon the approach will work against nearly all modern laptops, including Apple Macs.
The hack is tricky, though once mastered, it can be replicated on any purloined machine. Below is a video demo'ing the attack.
F-Secure shared its research with Microsoft, Intel, and Apple. The security biz helped the Windows maker update its guidance on Bitlocker to mitigate against this type of data theft. According to Cupertino, Macs fitted with an Apple T2 chip are not at risk, and older machines can be protected by setting a firmware password.
“It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested. And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute,” explained Segerdahl, principal security consultant at F-Secure.
“A quick response that invalidates access credentials will make stolen laptops less valuable to attackers,“ he added.
F-Secure further advises companies to configure laptops so that hackers attempting this or similar variants of cold boot attacks will be left with nothing to steal:
Olle and Pasi recommend that IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their Bitlocker PIN whenever they power up or restore their computers. This is especially important for company executives (or other employees with access to sensitive info) and employees that travel (who are more likely to leave their laptops in hotel rooms, taxi cabs, restaurants, or airports).
An attacker could still perform a successful cold boot attack against machines configured like this. But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal.
Segerdahl and Saarinenare are due to present their research at the SEC-T conference in Sweden this week, and at Microsoft’s BlueHat v18 in the US on September 27. ®