image credit: Pixabay

The New Cold Boot Attack Leaves Most Systems Vulnerable

November 4, 2019


Security researchers have recently found that almost “all modern computers” are vulnerable to a modified version of the old cold boot attacks. 

This new version, discovered by a Finnish company last year, can interfere with a machine’s firmware in order to disable all security measures and allow an attacker to recover sensitive data stored on that device (even on devices with full disk encryption), such as encryption keys, passwords, and corporate files.

What Is a Cold Boot Attack?

A cold boot attack is a procedure for obtaining unauthorized access to a computer’s encryption keys when the computer is left physically unattended. This type of attack has been around since 2008 and it lets cybercriminals steal information that stays for a short while on a computer’s RAM after the system is shut down.

Under normal operating conditions, DRAM memory is refreshed every 64 milliseconds, with individual cells engineered to retain information for at least that long. Under heavy loads and at high temperatures, more frequent refreshes are necessary. The situation changes completely when the memory cools down. At temperatures of -50°C or below, DRAM memory can go tens of seconds between refreshes. At this point, the target machine is abruptly powered off and the frozen memory is removed. 

Using a different system equipped with software that can read the frozen memory, hackers can read and save its contents to the internal hard drive or to an external unit.

If the hacker has physical access to the computer, the attack takes about five minutes to pull off. For the average person, the cold boot attack is not a common threat, since it requires physical access to the machine, as well as special tools.

While this attack is not considered a threat vector for the average user, the main targets could be systems storing highly sensitive information for various organizations or even government documents. 

Last year, researchers from Finnish cyber-security firm F-Secure said they had found a way to disable the safety measures created by the Trusted Computing Group (TCG) and extract data using cold boot attacks. 

“It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested,” said F-Secure Principal Security Consultant Olle Segerdahl. “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or a large enterprise, will know how to use,” he added. 

Since there’s no immediate fix available for the new vulnerability, F-Secure recommends that any machine storing sensitive data should be configured to automatically shut down or hibernate when the display is closed, instead of entering sleep mode.

Industry Response to Cold Boot Attacks

To reduce the effectiveness of cold boot attacks, hardware vendors and OS makers have shipped various security measures, even though these attacks cannot be stopped completely. One of these protection measures is having computers overwrite the RAM contents when power is restored after a cold boot. To prevent the data from being read, most modern machines come with a safeguard that overwrites the contents of DRAM memory when power is restored.

At this time, there’s no easy fix available to vendors, which makes cold boot attacks a threat that companies and end users must deal with on their own. F-Secure recommends four simple security measures: require BitLocker PIN entry on computer restore/power up, force computers to shut down/hibernate, keep laptops physically safe and report missing devices, and have an incident response plan to deal with missing devices. 

In response to this new threat, Microsoft has updated its BitLocker configuration recommendations to require the use of the BitLocker PIN to start and disable system suspension (allowing only hibernation).  

Apple said that systems equipped with the T2 security chip are not affected because they contain security measures designed to protect devices from this type of attack.  

More recently, AMD quietly launched the biz-focused Ryzen Pro 3000 CPUs. The new line-up comes packed with business-friendly features, including Memory Guard with full system memory encryption to defend against cold boot attacks. “Designed specifically to efficiently data-crunch, design, compose, and create – AMD Ryzen Pro and Athlon Pro processors accelerate enhanced business productivity while offering protection safeguards with built-in security features, such as full system memory encryption and a dedicated, on-die security processor”, noted Saied Moshkelani, senior vice president and general manager of AMD Client Compute.