A team of security researchers announced that most modern computers, including those equipped with Disk Encryption, are vulnerable to a new attack that allows hackers to steal encryption keys and sensitive data such as passwords and sensitive files of major companies and others within minutes.
This new attack, presented today at the SEC-T security conference in Sweden, is a new form of the cold boot attack, which has been known for nearly a decade, and can interfere with software Firmware for a computer to disable security measures and allow an attacker to restore sensitive data stored on that computer, and this attack will work against almost all modern computers, including desktops and laptops from some of the world's largest suppliers such as Dell, Lenovo, and even Apple.
A team of security researchers at the Finnish cyber security company F-Secure tested a number of laptops, and discovered that the firmware security measures present in each tested laptop had a number of vulnerabilities that allowed data theft. Researchers say that attackers with physical access to a target computer could exploit this vulnerability to perform a successfulcold boot attack, allowing them to steal encryption keys and other sensitive information.
"These vulnerabilities put almost all desktop and laptop computers - whether running Windows or Apple devices running macOS - at risk," said Olle Segerdahl, Senior Security Consultant at F-Secure.
Cold boot attacks are when an attacker forces a computer reset/reboot and then steals any remaining data in the RAM of that device. These attacks require physical access to hardware and special hardware. Generally, this type of The attacks do not target ordinary users, but only computers that store highly sensitive information, or individuals with sensitive positions such as government officials or businessmen.
Over the years, operating system makers and computer vendors have implemented several security measures to reduce the impact of cold boot attacks if they occur. One of these measures is for computers to replace the contents of RAM when the computer is restarted. Securitymen from F-Secure discovered that they could disable this feature by modifying firmware settings and steal data from the computer's RAM after a reboot. "It takes a few extra steps, but it's easy to exploit," Segerdahl said.
It's not exactly something attackers looking for soft targets would use, but it's the kind of method that hackers looking for a larger phishing operation like a bank or a large organization would use."
It is worth noting that if there is physical access to your computer, the chances of someone stealing your data are usually higher. That's why many people use methods to encrypt a hard drive — such as BitLocker built into Windows and FileVault for Apple Macs — to change and protect data when the device is turned off.
But the researchers found that in almost all cases they could still steal BitLocker and FileVault-protected data regardless of being on the device.
The researchers say this method will work against almost all modern computers, so they've already reported their findings to major companies like Microsoft, Intel, and Apple before publishing them.
Microsoft responded by updating the guidelines for BitLocker built into its operating system, while Apple said that all devices using the T2 chip were not vulnerable.
Both Microsoft and Apple have downplayed the potential risks of such attacks, and for the requirement that an attacker needs physical access to a device, Microsoft encouraged its customers to "practice good security habits, including preventing unauthorized physical access to their devices." Apple said it is looking into measures to protect Macs that don't support the T2 chip.
As for companies, the researchers recommend that system administrators and information technology departments reset the computer operating systems inside the company to shut down or hibernate mode (not sleep mode) and ask users to enter BitLocker PIN when they turn on their device.
The researchers said: “Cold boot attacks will continue to work, but by encrypting the hard drive via BitLocker or another similar system, this limits the amount of data an attacker can obtain, and encryption keys are not stored in RAM when the device is turned off or in hibernate mode, so there is no valuable information for hackers to steal.”
