Computer criminals are constantly looking our for ways to infect computer systems at large. A recent security audit has revealed that hackers are using a 2008 cold boot attack which is still found in modern computers from all major vendors. The vulnerability takes advantage of the fact that physical access to the machines allows for the execution of the Cold boot attack.
2008 Cold Boot Attack Used Against Modern Computers
A new security report reveals that many computers are still vulnerable to a bug known as the 2008 cold boot attack as it was discovered that year. This is a mechanism that allows hackers with physical access to the target machines to bypass the security mechanisms and access the stored memory after the machine is powered off. The report indicates that many devices are affected, among them PCs and Macs from vendors like Apple, Dell and Lenovo.
In essence the attack allows criminals to hijack the encryption keys of machines, they have been found to briefly be stored in memory after a hard reboot is made. Upon the initial discovery of the exploit the vendors added a protective measure via the Trusted Computing Group (TCG) chip which is built into the motherboards. It follows a security principle that has been set up to protect from these kind of attacks. However just like any system it can easily be broken into. A team of security researchers give insight on how this can be achieved.
The discovered weakness is related to the fact that modern machines perform checks intended to detect if they have been shut down in the proper way. A specific “flag” is set up to protect the data in memory if a proper shut down has not been complete. The consequence of this is the clean up of sensitive data from the memory. Manipulation of this check can expose the encryption keys. This can be done by accessing the memory chip directly.
The proof-of-concept technique used to initiate the cold boot attack is documented in the following sequence:
- The hackers will need to acquire physical access to the machines.
- Using a tool they will need to overwrite the non-volatile TCG chip and disable the memory overwriting to allow booting from external devices.
- The cold boot attack are initiated using a special utility program placed on a removable USB storage device.
One of the characteristics is that the cold boot attack is time-dependant, the hackers will need to react as soon as possible after the shut down. Depending on the individual computer conditions the proof-of-concept tests were successfully made in five to ten seconds. Microsoft stated that they recommend computer users to use a device with a discreet TPM module, disable sleep & hibernation power options and configure BitLocker to use PIN-based authentication.
Apple reacted stating that their T2 chips protect against these attacks. Mac computers without it should set up a firmware password.