Researchers have discovered a security flaw that is said to put nearly all modern computers at risk for data theft. The newly-found vulnerability apparently enables a malicious party to carry out an attack on a computer that they can access physically. Within minutes, the attackers can reportedly move past the security layers of a Windows or Mac PC to steal data, even if they are fully-encrypted. According to the latest report, access to user data is obtained via a 2008-style cold boot attack, where hackers steal information briefly stored in RAM when a computer is restarted without “following proper procedures”. Most modern computers overwrite RAM when they are powered down to prevent unauthorised access to data during a cold boot attack, but the researchers have found a way to disable the process.
Finnish cyber-security company F-Secure have discovered a flaw with nearly all modern desktops and latops that allow hackers to potentially steal sensitive information from your locked devices. They claim to have found a firmware vulnerability that can potentially let hackers with physical access to a computer turn off data overwriting. As mentioned, cold boot attacks, known since 2008, can steal data on a device’s RAM, where sensitive information is briefly stored after a forced reboot.
Most modern laptops own a safety mechanism to prevent cold boot attacks, but F-Secure’s team has discovered a flaw in that mechanism and it may allow hackers to disable the security firewall and carry our cold boot attacks. “It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested,” said F-Secure Principal Security Consultant, Olle Segerdahl.
“The attack exploits the fact that the firmware settings governing the behaviour of the boot process are not protected against manipulation by a physical attacker,” F-Secure wrote in a blog post. It added, “Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.”
According to the researchers, “nearly all” modern computers are vulnerable to the attack, including laptops from major manufacturers such as Dell, Lenovo, and even Apple. F-Secure said it has contacted Microsoft, Intel, and Apple about its discovery. The researchers presented their findings at a conference in Sweden recently, and will present it again at Microsoft’s security conference on September 27.
Interestingly, the vulnerability cannot be fixed easily, and according to F-Secure, companies should be ready to deal with such attacks. F-Secure recommended that users should always either shut down or hibernate their laptop, never just place it in sleep mode. It suggested IT departments to “configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their computers. This is especially important for company executives (or other employees with access to sensitive info) and employees that travel (who are more likely to leave their laptops in hotel rooms, taxi cabs, restaurants, or airports).”
As per the report, companies like Microsoft, Apple, and Intel are working on mitigation strategies to stop this kind of attack. Apple has reportedly stated that the T2 Chip used in its Mac units already contains security measures to counter cold boot attacks. Apple has also asked users to set a firmware password for Mac devices that come without a T2 chip.