Nearly 'all modern computers' affected by cold boot attack, researchers warn

Remigio Civitarese
Settembre 14, 2018

According to security firm F-Secure, nearly every computer is vulnerable to this type of attack. The newly-found vulnerability apparently enables a malicious party to carry out an attack on a computer that they can access physically.

But the F-Secure researchers found a way to bypass that memory overwrite by additionally attacking the BIOS/UEFI firmware that boots the machine and overwrites the memory.

A research report published by F-Secure has unearthed a new flaw that makes most of the devices including those that are equipped with disk encryption vulnerable to an attack that could steal personal data within minutes. Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot.

All cold boot attacks require physical access and special hardware tooling to perform, and are generally not considered a threat vector for normal users, but only for computers storing highly-sensitive information, or for high-value individuals such as government officials or businessmen.

"The attack exploits the fact that the firmware settings governing the behaviour of the boot process are not protected against manipulation by a physical attacker", F-Secure wrote in a blog post. This new variation on the attack works by manipulating the firmware settings, overwrites the non-volatile memory chip that triggers the RAM content to be flushed, and allows booting from an external drive such as a USB stick.

According to the researchers, "nearly all" modern computers are vulnerable to the attack, including laptops from major manufacturers such as Dell, Lenovo, and even Apple.

But F-Secure principal security consultant Olle Segerdahl, along with other researchers from the security outfit, claim they've discovered a way to disable that safety measure and extract data using the ten-year-old cold boot attack method.

There's no immediate fix available for the new vulnerability, F-Secure said.

F-Secure's researchers presented their findings at a conference in Sweden on Thursday, and are set to present it again at Microsoft's security conference on September 27. F-Secure's description of the attack seems intentionally vague on how exactly you modify the firmware security, but we are assured it's "simple".

Their attack works on computers in sleep mode, since shut down and hibernation actions cut off the power, and cause the residual memory to quickly degrade beyond recovery.

In the meantime, Olle and Pasi recommend that system administrators and IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their computers.

The first cold-boot attack was developed a decade ago. They have already notified Microsoft, Intel, and Apple of their findings.

Apple responded by pointing to the latest generation of Macs, which have the T2 chip that do the encryption separately from the CPU and makes such an attack more hard to execute.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE