Security flaw in 'nearly all' modern PCs and Macs exposes encrypted data - A firmware bug means existing security measures "aren't enough to protect data in lost or stolen laptops," says new security research
Most modern computers, even devices with disk encryption, are vulnerable to a new attack that can steal sensitive data in a matter of minutes, new research says. In new findings published Wednesday, F-Secure said that none of the existing firmware security measures in every laptop it tested "does a good enough job" of preventing data theft.
F-Secure principal security consultant Olle Segerdahl told TechCrunch that the vulnerabilities put "nearly all" laptops and desktops — both Windows and Mac users — at risk. The new exploit is built on the foundations of a traditional cold boot attack, which hackers have long used to steal data from a shut-down computer. Modern computers overwrite their memory when a device is powered down to scramble the data from being read. But Segerdahl and his colleague Pasi Saarinen found a way to disable the overwriting process, making a cold boot attack possible again.
"It takes some extra steps," said Segerdahl, but the flaw is "easy to exploit." So much so, he said, that it would "very much surprise" him if this technique isn't already known by some hacker groups. "We are convinced that anybody tasked with stealing data off laptops would have already come to the same conclusions as us," he said.
It's no secret that if you have physical access to a computer, the chances of someone stealing your data is usually greater. That's why so many use disk encryption — like BitLocker for Windows and FileVault for Macs — to scramble and protect data when a device is turned off. But the researchers found that in nearly all cases they can still steal data protected by BitLocker and FileVault regardless.
[...] Their findings were shared with Microsoft, Apple, and Intel prior to release. According to the researchers, only a smattering of devices aren't affected by the attack. Microsoft said in a recently updated article on BitLocker countermeasures that using a startup PIN can mitigate cold boot attacks, but Windows users with "Home" licenses are out of luck. And, any Apple Mac equipped with a T2 chip are not affected, but a firmware password would still improve protection.
In the meantime, don't let the feds seize your systems.
(Score: 2) by jmorris on Friday September 14 2018, @05:19AM (2 children)
Even the f-secure info is almost content free. HOW they are bypassing the BIOS protections isn't mentioned. All this DRM bullcrap, far more than needed to keep US out of our machines and yet they still aren't really securing the boot process? USB boot can be re-enabled? They don't say so we have to make guesses.
My best guess is they are hooking up a BusPirate and diddling the SPI Flash with the BIOS and settings. It isn't being authenticated against tampering? Were they really that dumb? All that trouble to sign everything, keyrings and certificates out the effing wazoo and the BIOS settings are wide open?
(Score: 1) by shrewdsheep on Friday September 14 2018, @09:15AM (1 child)
Maybe you can fill in some further information for the uninitiated (like myself)?
My current understanding is that RAM content degrades within at most minutes if not seconds after a computer is switch off. So this attack only works on freshly powered-off computers? Or does the computer still have to be switched on, then rebooted with the attack-USB? How about errors from RAM-content degradation?
(Score: 2) by jmorris on Friday September 14 2018, @05:15PM
That is a different attack. They simply yank the ram outta a running computer and quickly try to read them before they degrade. Also hear of demonstrations of getting useful info out of machines switched off for minutes, but those seem more hype. Errors are expected, but getting all but a few bits in an encryption key is almost as good as 100% since it cuts the search space from "heat death of the universe" run times to something manageable. Cooling the RAM before yanking apparently prolongs the retention time, sometimes greatly.
This seems to be taking a machine that is either running (assuming screen is locked) or suspended, with ram perfectly intact, jacking with the BIOS and then cold booting to a USB recovery stick so they can go after the parts of RAM not overwritten. And if they boot something tiny enough, most of the more interesting bits wouldn't be.
(Score: 0) by Anonymous Coward on Friday September 14 2018, @06:23AM (2 children)
Old news is SO exciting! I seem to recall reading about this at least a few years ago. Also, there's an almost decade old mitigation for this attack: https://www1.informatik.uni-erlangen.de/tresor [uni-erlangen.de]
So, the real question is, why haven't these mitigations been placed into common use? (I don't buy the "poor performance" excuse. Security is a trade-off. If you have something that needs to be resistant to a complex attack such as cold boot I doubt you care much about performance.) Perhaps it's a little bit TOO secure, and the terrorists at the NSA/GCHQ aren't having it. They can get a back door or three baked into a black-box TPM or crApple T2 chip easy enough, but maybe compromising open-source code that (ab)uses standard off the shelf hardware is a bit too close to infeasible for them. Also, why aren't we encrypting our RAM by default? EARTH TO AMD! COME IN AMD! You're already providing RAM encryption on your EPYC server chips (or so I've read) so why haven't you ported that over to your Ryzen chips?
(Score: 2) by bzipitidoo on Friday September 14 2018, @05:30PM (1 child)
There's a lot of bull around security-- security theater is just one problem. Users are prompted for logins even on the local machine that they have, and for which the hard drive is not encrypted. That's not real security, that's security against pet cats and children, and it's not even much good at that. Screen locks are no protection at all from the clumsy family member who spills a drink on the computer and fries it. Backups are the better solution to those, not more locks.
Security is a hard problem. But we keep seeing stupid mistakes that lead to easy hacks. So all this hard drive encryption and BIOS password lock is easily bypassed with the old technique of cold booting.
Security flaws have legitimate uses: jailbreaking, unlocking DRMed content you've paid for, and accessing your own computer when the password was lost or forgotten, or maliciously changed.
Then there's the politics of it all. Do citizens have a right to security, or not? Law enforcement seems to think not, and they and governments purposely try to mess it up. The 3 letter agencies have a very hard time getting people to use anything they might release. Hardly anyone trusts them on that, and for good reason. They need their priorities set straight.
And finally, in the clearly wrong camp are the black hats. Theyr'e out there breaking into bank accounts and taking money, rigging elections, falsifying test results, stealing identities, and so on. If the 3 letter agencies were really serving the public, the black hats would have a much harder time operating.
(Score: 2) by Lester on Friday September 14 2018, @06:54PM
Are you sure they are "stupid mistakes" and not backdoors?
(Score: 3, Funny) by realDonaldTrump on Friday September 14 2018, @06:39AM
Example, when a certain country is attacking physically and stealing our Data, use the Cloud -- we win big. It's easy!
(Score: 2, Insightful) by Anonymous Coward on Friday September 14 2018, @07:17AM
Remember kids, this means traveling to the US. Or belonging to 2/3 of the US population. https://www.aclu.org/other/constitution-100-mile-border-zone [aclu.org]
(Score: 2) by Gaaark on Friday September 14 2018, @11:23AM (3 children)
Use Linux!
*ducks*
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 4, Funny) by takyon on Friday September 14 2018, @01:51PM (2 children)
*penguins*
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Gaaark on Friday September 14 2018, @02:08PM (1 child)
Funny... and touché.
:)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Friday September 14 2018, @02:59PM
Pingwings