PC firmware weakness exposes encryption keys to attackers

29 October 2018

F-Secure have identified a weakness that allows hackers to carry out a ‘cold boot attack’ against modern laptops.

Experts say the weakness allows hackers to carry out a ‘cold boot attack’ against modern laptops.

Consultants from cyber security provider F-Secure have found a weakness in modern computers that attackers can use to steal encryption keys and other sensitive information. The discovery has compelled the researchers to warn PC vendors and users that current security measures aren’t enough to protect data in lost or stolen laptops.

Attackers need physical access to the computer before they can exploit the weakness. F-Secure principal security consultant Olle Segerdahl says that once this is achieved, an adversary can successfully perform the attack in about five minutes.

The weakness allows the attackers to carry out a ‘cold boot attack’. This involves rebooting a computer without following a proper shutdown process, then recovering data that remains briefly accessible in the RAM after the power is lost. F-Secure says hackers have known about this type of attack since 2008.

While modern laptops now overwrite RAM specifically to prevent attackers from using cold boot attacks to steal data, Segerdahl and his team have found a way to disable the overwrite process and re-enable the decade-old cold boot attack. “It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested,” explains Segerdahl. “And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute.”

According to F-Secure, the attack exploits the fact that the firmware settings governing the behaviour of the boot process are not protected against manipulation by a physical attacker. Using a simple hardware tool, the hacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program using a USB stick.

F-Secure principal security consultant Olle Segerdahl warns that a lot of companies are likely to have a weak link in their security that they’re not fully aware of or prepared to deal with.

F-Secure principal security consultant Olle Segerdahl warns that a lot of companies are likely to have a weak link in their security that they’re not fully aware of or prepared to deal with.

Segerdahl says that because this attack works against the kind of laptops used by companies, there’s no reliable way for organisations to know if their data is safe in the event of a computer going missing. He adds: “There’s no easy fix for this issue either, so it’s a risk that companies are going to have to address on their own.”

Segerdahl advises organisations to prepare themselves for such attacks. He says one way is to configure laptops to automatically shut down/hibernate instead of entering sleep mode, and ensuring users enter the Bitlocker PIN any time Windows boots up or restores.

He adds that IT departments should have an incident response plan ready to deal with laptops that go missing: “A quick response that invalidates access credentials will make stolen laptops less valuable to attackers. IT security and incident response teams should rehearse this scenario and make sure that the company’s workforce knows to notify IT immediately if a device is lost or stolen. Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case.” Segerdahl has shared his team’s research with Intel, Microsoft and Apple to help the industry improve the security of current and future products.