New Cold Boot Attacks Leave Nearly All Laptops Susceptible to Hacks

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,060
Researchers have discovered a new way to defeat security designed to stop cold boot attacks. Sleep mode and cold/hard reboots save critical information in the ram of the device. The Trusted Computing Group (TCG) devised a system of overwriting the contents of the ram when power is restored to the machine. The researchers have discovered a physical hack that rewrites firmware to disable memory overwriting, and change the settings to enable booting from an external device such as a USB stick. Even though the hack works on nearly all laptops, there are a few ways to protect yourself from the attack such as enabling BitLocker, hibernate and using firmware passwords.

"It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out," says Olle. "It's not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use." And Olle thinks there's no easy fix available to PC vendors, so it's something companies and end users will have to deal with on their own.
 
Since a laptop is easily stolen, I'm sure someone will have a little 'lab' setup with all the steps automated to strip out any useful data before turning the laptop over to the blackmarket. So hard to do probably does not apply to a theft situation.
 
Yeah, this one is interesting. Requires sleep mode to work. Would need physical access to the device. Rewriting the settings of the TCG chip to prevent memory overwrite is a novel approach...but overall, there are many different and easier ways to skin a cat.
 
Any company today that issues laptops to its employees and does not used some sort of full drive encryption and password locked bios, almost deserves to have their data stolen.

This hack bypasses full disk encryption. It goes after what's stored in RAM, not what is on local storage. Top of the article: "even a laptop with full disk encryption, can cause serious security headaches."

and

"An attacker could still perform a successful cold boot attack against machines configured like this [full disk encryption]. But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal."


Edited for terminology and extended quote.
 
Last edited:
  • Like
Reactions: DocNo
like this
This hack defeats full disk encryption. I goes after what's stored in RAM, not what is on local storage. Top of the article: "even a laptop with full disk encryption, can cause serious security headaches."
It does not defeat full drive encryption, which is why they suggest using BitLocker as a (partial) defense. It is true that the attacker will be able to get access to the contents of RAM, but that would be the extent of the data loss; they would get nothing from the drive.
 
Wouldn't the tpm key be held in ram though to allow boot? Thus you could forceable pass it to unlock bitlocker drives. I think what they are saying is the full defense is turn off sleep and only allow hibernate. Plus force bitlocker to require a startup pin/code.
 
Using TPM-based BitLocker and firmware passwords on every deployed system in my org, so we're good.
 
I normally setup password locked firmware and bio-metric login on every personal laptop or smartphone that I have. Passwords are normally 10plus alphanumeric and special characters. It's disheartening to read that this isn't common practice in every organization.
 
I normally setup password locked firmware and bio-metric login on every personal laptop or smartphone that I have. Passwords are normally 10plus alphanumeric and special characters. It's disheartening to read that this isn't common practice in every organization.

Same here... And for flashing from within Windows, you also need to suspend Bitlocker or else the next boot will ask for the Bitlocker recovery key.
But the bitlocker recover key on a boot device should theoretically be able to be brute forced... I have a theory and idea on how to implement it, but would have to write software to implement my idea.

Haven't tried flashing from DOS though. Does that work without suspending Bitlocker in Windows before flashing? Or will it still require the recovery key after it flashes?
 
So, the laptop would have to be stolen AND either stay powered on or be in sleep mode for this to work.

Yet another reason Win 10 is evil. Several times I have tried to power off my laptop only to find out my only choices are "Finish installing updates" OR "Sleep Mode" due to some update being downloaded and prepped for install while the laptop was active. Don't always have time to wait some unknown time for the updates to finish so I can really shut the thing down.
 
Yet another reason Win 10 is evil. Several times I have tried to power off my laptop only to find out my only choices are "Finish installing updates" OR "Sleep Mode" due to some update being downloaded and prepped for install while the laptop was active. Don't always have time to wait some unknown time for the updates to finish so I can really shut the thing down.

Windows 7 and 8/8.1 do the same exact thing if you go to shutdown or restart and there are updates that need to finish installing.
 
so this just means the attacker can bypass the windows password

and not actual encryption keys to an encrypted drive

and you need physical access

um, that is not exactly new.....

...well , yea , it's a new technique to achieve the same effect , to add to prob the dozen others except this has 'laptop' added to the headline..
 
I normally setup password locked firmware and bio-metric login on every personal laptop or smartphone that I have. Passwords are normally 10plus alphanumeric and special characters. It's disheartening to read that this isn't common practice in every organization.
same here, you are not getting past the BIOS without the password and you are not getting into the OS without biometrics on my phone or laptop. also have USB devices set to "do nothing" when attached
 
Windows 7 and 8/8.1 do the same exact thing if you go to shutdown or restart and there are updates that need to finish installing.
True, except in Win 7, I can tell it NOT to look for updates. Win 10 makes that simple precaution much harder for the average end user.
 
True, except in Win 7, I can tell it NOT to look for updates. Win 10 makes that simple precaution much harder for the average end user.

An unpatched system is a system that should not have internet access.

Disabling updates is not a "precaution".. it is dumb.

Personally, I would rather have people complaining about updates happening, than to have those same people disable updates and then have their computers become botnet zombies.
 
this all sounds like much ado over nothing. Physical access? You want access to my computer? Talk to my German Shepard you won't get anywhere but you can try......
 
this all sounds like much ado over nothing. Physical access? You want access to my computer? Talk to my German Shepard you won't get anywhere but you can try......

So...you're saying your Shepard isn't a good listener? Bad dog!

Also, why would you waste the attention of such a noble creature protecting such an ignoble device that is a laptop?

Custom built and tweaked desktop computer? Sure, a pack of wolves is appropriate defense. But a laptop? Deserves a pack of of week-old watch-dogfish. :D
 
Hey the dog says he likes taking bites out of asshats makes his whole day.....
 
It is true that the attacker will be able to get access to the contents of RAM

Um, the OS has to decrypt the drive in order to operate. Just where do you think the decryption keys are stored while the OS is operational?
 
An unpatched system is a system that should not have internet access.

Disabling updates is not a "precaution".. it is dumb.

Personally, I would rather have people complaining about updates happening, than to have those same people disable updates and then have their computers become botnet zombies.

Never said I don't update. Just with versions prior to 10, the end user could pick a time when they had time instead of finding out their laptop will be in sleep mode in checked baggage for that 12 hour hop across a pond.
 
I think it's time we started using different terminology for "hacks" that require the wannabe hacker to have full physical access to the device. If they stole my shit hacking it is not my biggest concern, it is the actual theft. It's not like they can get any information from my laptop apart from a few personal photos, which has no value to them.

Also this only works if the computer is put into standby. I never put my laptop in standby mode. It's a waste of battery. Either I'm using it, then it's on. OR not using it then it's off, not hibernated, not in standby, cold hard off.
 
Um, the OS has to decrypt the drive in order to operate. Just where do you think the decryption keys are stored while the OS is operational?
The encryption keys are erased after being passed to the hard drive, if they are using full drive encryption (TCG Opal).
 
Back
Top