New Cold Boot Attacks Leave Nearly All Laptops Susceptible to Hacks

Discussion in '[H]ard|OCP Front Page News' started by cageymaru, Sep 13, 2018.

  1. cageymaru

    cageymaru [H]ard|News

    Messages:
    18,661
    Joined:
    Apr 10, 2003
    Researchers have discovered a new way to defeat security designed to stop cold boot attacks. Sleep mode and cold/hard reboots save critical information in the ram of the device. The Trusted Computing Group (TCG) devised a system of overwriting the contents of the ram when power is restored to the machine. The researchers have discovered a physical hack that rewrites firmware to disable memory overwriting, and change the settings to enable booting from an external device such as a USB stick. Even though the hack works on nearly all laptops, there are a few ways to protect yourself from the attack such as enabling BitLocker, hibernate and using firmware passwords.

    "It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out," says Olle. "It's not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use." And Olle thinks there's no easy fix available to PC vendors, so it's something companies and end users will have to deal with on their own.
     
    DejaWiz likes this.
  2. jpm100

    jpm100 [H]ardness Supreme

    Messages:
    7,115
    Joined:
    Oct 31, 2004
    Since a laptop is easily stolen, I'm sure someone will have a little 'lab' setup with all the steps automated to strip out any useful data before turning the laptop over to the blackmarket. So hard to do probably does not apply to a theft situation.
     
  3. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,423
    Joined:
    Aug 16, 2004
    So, the laptop would have to be stolen AND either stay powered on or be in sleep mode for this to work.
     
    AceGoober and drescherjm like this.
  4. cageymaru

    cageymaru [H]ard|News

    Messages:
    18,661
    Joined:
    Apr 10, 2003
    Or a hard boot. Like hold the power button to shut it down instead of doing it properly.
     
  5. PaulP

    PaulP Gawd

    Messages:
    625
    Joined:
    Oct 31, 2016
    Any company today that issues laptops to its employees and does not used some sort of full drive encryption and password locked bios, almost deserves to have their data stolen.
     
    lcpiper, mdburkey, cyclone3d and 2 others like this.
  6. Schtask

    Schtask Limp Gawd

    Messages:
    425
    Joined:
    Nov 29, 2011
    Yeah, this one is interesting. Requires sleep mode to work. Would need physical access to the device. Rewriting the settings of the TCG chip to prevent memory overwrite is a novel approach...but overall, there are many different and easier ways to skin a cat.
     
  7. SPARTAN VI

    SPARTAN VI [H]ardness Supreme

    Messages:
    6,920
    Joined:
    Jun 12, 2004
    This hack bypasses full disk encryption. It goes after what's stored in RAM, not what is on local storage. Top of the article: "even a laptop with full disk encryption, can cause serious security headaches."

    and

    "An attacker could still perform a successful cold boot attack against machines configured like this [full disk encryption]. But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal."


    Edited for terminology and extended quote.
     
    Last edited: Sep 13, 2018
    DocNo likes this.
  8. PaulP

    PaulP Gawd

    Messages:
    625
    Joined:
    Oct 31, 2016
    It does not defeat full drive encryption, which is why they suggest using BitLocker as a (partial) defense. It is true that the attacker will be able to get access to the contents of RAM, but that would be the extent of the data loss; they would get nothing from the drive.
     
    SPARTAN VI likes this.
  9. Christobevii3

    Christobevii3 Limp Gawd

    Messages:
    294
    Joined:
    Jul 13, 2008
    Wouldn't the tpm key be held in ram though to allow boot? Thus you could forceable pass it to unlock bitlocker drives. I think what they are saying is the full defense is turn off sleep and only allow hibernate. Plus force bitlocker to require a startup pin/code.
     
  10. DejaWiz

    DejaWiz Oracle of Unfortunate Truths

    Messages:
    19,267
    Joined:
    Apr 15, 2005
    Using TPM-based BitLocker and firmware passwords on every deployed system in my org, so we're good.
     
  11. AceGoober

    AceGoober Live! Laug[H]! Overclock!

    Messages:
    22,847
    Joined:
    Jun 25, 2003
    I normally setup password locked firmware and bio-metric login on every personal laptop or smartphone that I have. Passwords are normally 10plus alphanumeric and special characters. It's disheartening to read that this isn't common practice in every organization.
     
    YeuEmMaiMai likes this.
  12. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,423
    Joined:
    Aug 16, 2004
    Same here... And for flashing from within Windows, you also need to suspend Bitlocker or else the next boot will ask for the Bitlocker recovery key.
    But the bitlocker recover key on a boot device should theoretically be able to be brute forced... I have a theory and idea on how to implement it, but would have to write software to implement my idea.

    Haven't tried flashing from DOS though. Does that work without suspending Bitlocker in Windows before flashing? Or will it still require the recovery key after it flashes?
     
  13. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,908
    Joined:
    Mar 4, 2013
    Yet another reason Win 10 is evil. Several times I have tried to power off my laptop only to find out my only choices are "Finish installing updates" OR "Sleep Mode" due to some update being downloaded and prepped for install while the laptop was active. Don't always have time to wait some unknown time for the updates to finish so I can really shut the thing down.
     
  14. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,423
    Joined:
    Aug 16, 2004
    Windows 7 and 8/8.1 do the same exact thing if you go to shutdown or restart and there are updates that need to finish installing.
     
  15. theBrownLlama

    theBrownLlama Limp Gawd

    Messages:
    494
    Joined:
    Aug 3, 2017
    so this just means the attacker can bypass the windows password

    and not actual encryption keys to an encrypted drive

    and you need physical access

    um, that is not exactly new.....

    ...well , yea , it's a new technique to achieve the same effect , to add to prob the dozen others except this has 'laptop' added to the headline..
     
  16. Pieter3dnow

    Pieter3dnow [H]ardness Supreme

    Messages:
    5,682
    Joined:
    Jul 29, 2009
    Can't you disable sleep and hibernate modes in Windows ?
     
  17. YeuEmMaiMai

    YeuEmMaiMai Death Incarnate

    Messages:
    17,106
    Joined:
    Jun 11, 2004
    same here, you are not getting past the BIOS without the password and you are not getting into the OS without biometrics on my phone or laptop. also have USB devices set to "do nothing" when attached
     
    AceGoober likes this.
  18. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,908
    Joined:
    Mar 4, 2013
    True, except in Win 7, I can tell it NOT to look for updates. Win 10 makes that simple precaution much harder for the average end user.
     
  19. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,423
    Joined:
    Aug 16, 2004
    An unpatched system is a system that should not have internet access.

    Disabling updates is not a "precaution".. it is dumb.

    Personally, I would rather have people complaining about updates happening, than to have those same people disable updates and then have their computers become botnet zombies.
     
  20. zalazin

    zalazin [H]ard|Gawd

    Messages:
    1,360
    Joined:
    May 12, 2000
    this all sounds like much ado over nothing. Physical access? You want access to my computer? Talk to my German Shepard you won't get anywhere but you can try......
     
    clockdogg likes this.
  21. clockdogg

    clockdogg Gawd

    Messages:
    533
    Joined:
    Dec 12, 2007
    So...you're saying your Shepard isn't a good listener? Bad dog!

    Also, why would you waste the attention of such a noble creature protecting such an ignoble device that is a laptop?

    Custom built and tweaked desktop computer? Sure, a pack of wolves is appropriate defense. But a laptop? Deserves a pack of of week-old watch-dogfish. :D
     
  22. zalazin

    zalazin [H]ard|Gawd

    Messages:
    1,360
    Joined:
    May 12, 2000
    Hey the dog says he likes taking bites out of asshats makes his whole day.....
     
  23. DocNo

    DocNo Limp Gawd

    Messages:
    334
    Joined:
    Apr 23, 2012
    Um, the OS has to decrypt the drive in order to operate. Just where do you think the decryption keys are stored while the OS is operational?
     
  24. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,908
    Joined:
    Mar 4, 2013
    Never said I don't update. Just with versions prior to 10, the end user could pick a time when they had time instead of finding out their laptop will be in sleep mode in checked baggage for that 12 hour hop across a pond.
     
  25. M76

    M76 [H]ardness Supreme

    Messages:
    7,474
    Joined:
    Jun 12, 2012
    I think it's time we started using different terminology for "hacks" that require the wannabe hacker to have full physical access to the device. If they stole my shit hacking it is not my biggest concern, it is the actual theft. It's not like they can get any information from my laptop apart from a few personal photos, which has no value to them.

    Also this only works if the computer is put into standby. I never put my laptop in standby mode. It's a waste of battery. Either I'm using it, then it's on. OR not using it then it's off, not hibernated, not in standby, cold hard off.
     
  26. PaulP

    PaulP Gawd

    Messages:
    625
    Joined:
    Oct 31, 2016
    The encryption keys are erased after being passed to the hard drive, if they are using full drive encryption (TCG Opal).