Published: Sun, September 16, 2018
IT | By Lester Massey

[H]ardOCP: New Cold Boot Attacks Leave Nearly All Laptops Susceptible to Hacks

[H]ardOCP: New Cold Boot Attacks Leave Nearly All Laptops Susceptible to Hacks

Perhaps the one saving grace here is that someone needs to have physical access to your computer and enough time to take it apart in order to steal any data. Shutting your computer all the way off is still the best defense. Either method will cut off the power and clear the memory.

The researchers say that their attack is reliable on Windows machines that are already running or do not require a PIN.

At the heart of this attack is the way computers manage RAM via firmware. Normal computers are not considered as a target to such an attack as compared to the computers that store valuable information like the ones owned by government agencies and businesses.

An "evil maid" could use this attack to extract secrets from laptops left in hotel rooms, and an "evil" IT technician could do the same to an office machine overnight or even during a targeted individual's lunch hour.

"Because this attack works against the kind of laptops used by companies there's no reliable way for organizations to know their data is safe if a computer goes missing".

Video If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it and boot into a custom program. you can swipe crypto keys and other secrets from the system.

An attacker grabs the laptop, takes it to another desk, removes the battery, pops the lid and sprays the RAM modules with compressed air, freezing them.

The specification is called TCG Reset Attack Mitigation or MORLock (Memory Overwrite Request Control). Freezing the RAM chips, though, helps preserve the data during this time, allowing booting into a live operating system from a USB stick. Using the Linux command line, he easily retrieves the legitimate user's encryption keys.

F-Secure's researchers presented their findings at a conference in Sweden on Thursday, and are set to present it again at Microsoft's security conference on September 27.

Classic "cold boot" techniques abruptly cut off the power to your computer so hackers can try to access what's in your computer's memory. As mentioned, cold boot attacks, known since 2008, can steal data on a device's RAM, where sensitive information is briefly stored after a forced reboot. It added, "Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. We are convinced that anybody tasked with stealing data off laptops would have already come to the same conclusions as us". Most modern computers overwrite RAM when they are powered down to prevent unauthorised access to data during a cold boot attack, but the researchers have found a way to disable the process.

Like this: