In a presentation during the SEC-T security/hacking conference taking place in Stockholm, Sweden, F-Secure researchers Olle Segerdahl and Pasi Saarinen detailed how attackers can use a firmware exploit to disable security measures put in place by vendors and extract any encrypted data left in the RAM modules.
Cold boot attacks are securityattacks through which malicious parties with physical access and to a computer can steal encryption keys from DRAM and SRAM memory modules after resetting or rebooting the machine.
The stolen encryption keys are then used to mount protected volumes from the hard drive and allow for sensitive data being extracted.
In this specificcase, the ice-cold boot attack vector makes it possible to descramble the data encrypted with the help of either BitLocker or FileVault and to recover encryption keys from RAM after the attacker gets physical access to the targeted device.
In addition to encryption keys, the F-Secure research team also said that attacks using this firmware exploitcould even get their hands on other sensitive material such as passwords or enterprise accounts, basically on anything left in the RAM after the computer is shut down or rebooted.
As explained by the research team, laptops are the most vulnerable devices because of their battery which keeps the RAM modules powered for a longer time thus making it simpler to steal the data than desktop computers.
This cold boot attack affects both Microsoft's BitLocker and Apple's FileVaultMoreover, laptops have higher risks of being hacked into because this attackrequires the threat actors to have physical access to the computer and move it to a secure place for the data extraction procedure.
The F-Secure researchers also confirmed that it is theoretically possible to hijack the RAM chips while the machine is running, with the added addendum that physical access to the RAM chips is still required.
Although this entire situation looks terrible, there still is hope seeing that, as detailed in the conference talk, Apple confirmed that some of their computers, the ones equipped with the T2 chip (i.e., the iMac Pro and MacBook Pro models from 2018) which has additional hardware-level protections which can successfullymitigate this attack vector.
Additionally, Apple recommends having a firmware password enabled by default and Microsoft to set up a startup PIN to help prevent unauthorized access from third parties.
Until a fix for this issue is available, companies and organizations should implement policies requiring all their employees to shut down computers or set them to go straight into hibernation because "encryption keys aren't stored in the RAM when a machine hibernates or shuts down. So there's no valuable info for an attacker to steal," said F-Secure's research team.
If you want to view their SEC-T talk, you can do so in the video linked below, by going to the 1:30:00 timestamp: