14 DAY TRIAL // In a presentation during the SEC-T security/hacking conference taking place in Stockholm, Sweden, F-Secure researchers Olle Segerdahl and Pasi Saarinen detailed how attackers can use a firmware exploit to disable security measures put in place by vendors and extract any encrypted data left in the RAM modules.
Cold boot attacks are security attacks through which malicious parties with physical access and to a computer can steal encryption keys from DRAM and SRAM memory modules after resetting or rebooting the machine.
The stolen encryption keys are then used to mount protected volumes from the hard drive and allow for sensitive data being extracted.
In this specific case, the ice-cold boot attack vector makes it possible to descramble the data encrypted with the help of either BitLocker or FileVault and to recover encryption keys from RAM after the attacker gets physical access to the targeted device.
In addition to encryption keys, the F-Secure research team also said that attacks using this firmware exploit could even get their hands on other sensitive material such as passwords or enterprise accounts, basically on anything left in the RAM after the computer is shut down or rebooted.
As explained by the research team, laptops are the most vulnerable devices because of their battery which keeps the RAM modules powered for a longer time thus making it simpler to steal the data than desktop computers.
This cold boot attack affects both Microsoft's BitLocker and Apple's FileVault
Moreover, laptops have higher risks of being hacked into because this attack requires the threat actors to have physical access to the computer and move it to a secure place for the data extraction procedure.
The F-Secure researchers also confirmed that it is theoretically possible to hijack the RAM chips while the machine is running, with the added addendum that physical access to the RAM chips is still required.
Although this entire situation looks terrible, there still is hope seeing that, as detailed in the conference talk, Apple confirmed that some of their computers, the ones equipped with the T2 chip (i.e., the iMac Pro and MacBook Pro models from 2018) which has additional hardware-level protections which can successfully mitigate this attack vector.
Additionally, Apple recommends having a firmware password enabled by default and Microsoft to set up a startup PIN to help prevent unauthorized access from third parties.
Until a fix for this issue is available, companies and organizations should implement policies requiring all their employees to shut down computers or set them to go straight into hibernation because "encryption keys aren't stored in the RAM when a machine hibernates or shuts down. So there's no valuable info for an attacker to steal," said F-Secure's research team.
SEC-T organizers have uploaded a video interview with the F-Secure researchers on YouTube with more information adding more detail on the inner workings of this specific boot attack vector.
Furthermore, if you want to view their full SEC-T talk, you can do so in the video linked below:
UPDATED: 1. Changed the YouTube video link to point to the "SEC-T 0x0B: Olle Segerdahl & Pasi Saarinen - An ice-cold Boot to break BitLocker" presentation video instead of the live video stream from SEC-T 2018. 2. Added a link to the separate video interview after the presentation with extra information on how the cold boot attack discovered by the F-Secure team works.
