Sleeping Computers Are Vulnerable to New Cold Boot Attack

New Firmware Flaws Resurrect Cold Boot Attack

New Cold Boot Attack

Since 2008, cold boot attacks have been around. And an attacker forces a computer to reboot and then steals any data stored in the RAM including sensitive information like passwords, encryption keys and personal documents that are open before the device reboot.

Over the year, OS manufacturers and hardware vendors have taken various security measures to reduce the impact of cold boot attacks. And one protection is the computers would overwrite RAM contents when restoring the power after a cold boot.

However, security researchers from F-Secure, a Finnish cyber-security firm have discovered that they can modify firmware settings to disable this feature and steal data saved in the computer RAM after a cold reboot. And their way requires physical access and a special tool to extract leftover RAM.

F-Secure Principal Security Consultant Olle Segerdahl uses a tool to overwrite the non-volatile memory chip that triggers the RAM content to be flushed, disable memory overlays and allow booting from external devices like a USB memory stick to perform a cold boot attack.

This bug affects nearly all computers, including desktop, all-in-one machines, and laptops. The good news is that the attack cannot be executed remotely and requires physical access to the device.

Protect Yourself from Cold Boot Attacks

F-Secure says that computer vendors don’t have an easy way to fix the attack since there is always a method to pull data off the system’s RAM.

To limit these types of attacks, users and businesses can prevent tampering with the system’s BIOS Settings by using firmware passwords. And it is strongly recommended to retype the PIN code after rebooting a computer if the disk is encrypted with Windows BitLocker.

Besides, keep your computers in a secure place since this attack requires physical access to the target OS.

F-Secure also suggests adjusting the Settings to allow the PC to automatically hibernate or shut down after turning off the screen rather than putting the computer to sleep mode. Although some cached RAM data can be retrieved, encryption keys are cleared from RAM.

According to F-Secure in a press release, “Encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal”.

Since the attack could affect all modern computers, now F-secure has notified all suppliers, including Dell, Apple, Lenovo, and Microsoft. And Microsoft has responded by updating its BitLocker guidance while Apply claims that its MacBook with the T2 chip won’t be vulnerable.

Olle also has shared his research with Intel, Microsoft and Apple to help the PC industry improve the current and future safety hazard of its products. He also advises companies to be prepared to solve network problems.

Actually, as for cold boot attack protection, the best defense against this type of attack is to completely shut down your computer after each use. But if you have a PC backup, this can protect your data to a certain extent.