New cold boot attack affects "nearly all modern computers"

Donna Miller
September 14, 2018

Cold boot attacks have been around since 2008 and involve stealing information stored on a computer that hasn't been shutdown properly, or left in a vulnerable sleeping state.

Security researchers discovered a flaw with almost all modern computers that allow potential hackers to steal sensitive information from your locked devices.

The attack works against nearly all Macs and Windows PCs and requires several minutes of physical access to a machine left in sleep mode, which maintains enough power to keep data from the most recent active session "alive" in system memory. "It takes some extra steps compared to the classic cold boot attack, but it's effective against all the modern laptops we've tested", said F-Secure Principal Security Consultant, Olle Segerdahl. Shutting your computer all the way off is still the best defense.

Known for its volatility in data retention when out of power, RAM (Random Access Memory) can preserve information for a longer time - even minutes, under low-temperature conditions. Macs with T2 chips - on iMac Pros and 2018 MacBook Pros - are immune to this attack, and Apple recommends that users of other Macs set a BIOS PIN to prevent unauthorized motherboard-firmware changes. The newly-found vulnerability apparently enables a malicious party to carry out an attack on a computer that they can access physically.

He added that it is not practical on easy targets, but it would be on an attacker's list of options for a "bigger phish, like a bank or large enterprise".

"The attack exploits the fact that the firmware settings governing the behaviour of the boot process are not protected against manipulation by a physical attacker", F-Secure wrote in a blog post.

Meghan Markle's Royal Life Is More Isolating Than Ever
It really was most thoughtful of you and Her Royal Highness sends you her heartfelt thanks and best wishes". Markle, was recuperating from heart surgery when Harry and Meghan married at Windsor Castle on May 19.

At the heart of this attack is the way computers manage RAM via firmware. After that, the attacker can boot from an external device to read the contents of the system's RAM from before the device went to sleep. Using the Linux command line, he easily retrieves the legitimate user's encryption keys. The researchers presented their findings at a conference in Sweden recently, and will present it again at Microsoft's security conference on September 27.

The attack is a variation of the old cold boot attack which is a popular technique in the hacking world. This could include sensitive information like encryption keys and personal documents that were open before the device rebooted. One of these protections was that computers would overwrite the contents of the RAM when power was restored after a cold boot.

The research has been shared with Intel, Microsoft and Apple to help the industry improve the security of current and future products.

Over the years, OS makers and hardware vendors have shipped various security measures to reduce the impact of cold boot attacks, even if they happen.

Apple told TechCrunch that it is working on "measures to protect Macs that don't come with [a] T2 chip", which have a new level of security that fully prevents this type of attack.

Other reports by

Discuss This Article