Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

F-Secure: Most Modern Computers Vulnerable to New Cold Boot Attack

posted by martyb on Friday September 14 2018, @04:58AM   Printer-friendly
from the hot-on-the-trail dept.

takyon writes:

Security flaw in 'nearly all' modern PCs and Macs exposes encrypted data - A firmware bug means existing security measures "aren't enough to protect data in lost or stolen laptops," says new security research

Most modern computers, even devices with disk encryption, are vulnerable to a new attack that can steal sensitive data in a matter of minutes, new research says. In new findings published Wednesday, F-Secure said that none of the existing firmware security measures in every laptop it tested "does a good enough job" of preventing data theft.

F-Secure principal security consultant Olle Segerdahl told TechCrunch that the vulnerabilities put "nearly all" laptops and desktops — both Windows and Mac users — at risk. The new exploit is built on the foundations of a traditional cold boot attack, which hackers have long used to steal data from a shut-down computer. Modern computers overwrite their memory when a device is powered down to scramble the data from being read. But Segerdahl and his colleague Pasi Saarinen found a way to disable the overwriting process, making a cold boot attack possible again.

"It takes some extra steps," said Segerdahl, but the flaw is "easy to exploit." So much so, he said, that it would "very much surprise" him if this technique isn't already known by some hacker groups. "We are convinced that anybody tasked with stealing data off laptops would have already come to the same conclusions as us," he said.

It's no secret that if you have physical access to a computer, the chances of someone stealing your data is usually greater. That's why so many use disk encryption — like BitLocker for Windows and FileVault for Macs — to scramble and protect data when a device is turned off. But the researchers found that in nearly all cases they can still steal data protected by BitLocker and FileVault regardless.

[...] Their findings were shared with Microsoft, Apple, and Intel prior to release. According to the researchers, only a smattering of devices aren't affected by the attack. Microsoft said in a recently updated article on BitLocker countermeasures that using a startup PIN can mitigate cold boot attacks, but Windows users with "Home" licenses are out of luck. And, any Apple Mac equipped with a T2 chip are not affected, but a firmware password would still improve protection.

In the meantime, don't let the feds seize your systems.

F-Secure blog post.

Original Submission

 
This discussion has been archived. No new comments can be posted.
F-Secure: Most Modern Computers Vulnerable to New Cold Boot Attack | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by jmorris on Friday September 14 2018, @05:19AM (2 children)

    by jmorris (4844) on Friday September 14 2018, @05:19AM (#734713)

    Even the f-secure info is almost content free. HOW they are bypassing the BIOS protections isn't mentioned. All this DRM bullcrap, far more than needed to keep US out of our machines and yet they still aren't really securing the boot process? USB boot can be re-enabled? They don't say so we have to make guesses.

    My best guess is they are hooking up a BusPirate and diddling the SPI Flash with the BIOS and settings. It isn't being authenticated against tampering? Were they really that dumb? All that trouble to sign everything, keyrings and certificates out the effing wazoo and the BIOS settings are wide open?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1) by shrewdsheep on Friday September 14 2018, @09:15AM (1 child)

    by shrewdsheep (5215) on Friday September 14 2018, @09:15AM (#734750)

    Maybe you can fill in some further information for the uninitiated (like myself)?

    My current understanding is that RAM content degrades within at most minutes if not seconds after a computer is switch off. So this attack only works on freshly powered-off computers? Or does the computer still have to be switched on, then rebooted with the attack-USB? How about errors from RAM-content degradation?

    • (Score: 2) by jmorris on Friday September 14 2018, @05:15PM

      by jmorris (4844) on Friday September 14 2018, @05:15PM (#734914)

      That is a different attack. They simply yank the ram outta a running computer and quickly try to read them before they degrade. Also hear of demonstrations of getting useful info out of machines switched off for minutes, but those seem more hype. Errors are expected, but getting all but a few bits in an encryption key is almost as good as 100% since it cuts the search space from "heat death of the universe" run times to something manageable. Cooling the RAM before yanking apparently prolongs the retention time, sometimes greatly.

      This seems to be taking a machine that is either running (assuming screen is locked) or suspended, with ram perfectly intact, jacking with the BIOS and then cold booting to a USB recovery stick so they can go after the parts of RAM not overwritten. And if they boot something tiny enough, most of the more interesting bits wouldn't be.