Researchers bring back cold boot attacks on modern computers

It's 2008 all over again, as researchers have found a way to use cold boot attacks against modern computers to steal sensitive data from lost or stolen devices.

Olle Segerdahl and Pasi Saarinen, security consultants for F-Secure, based in Helsinki, developed the new cold boot attack method and claimed it "will work against nearly all modern computers," including both Windows and macOS devices.

In classic cold boot attacks, threat actors could recover data stored in RAM after a computer was improperly shut down, but modern operating systems can mitigate this by overwriting RAM. Segerdahl and Saarinen found a way to disable this feature.

"It takes some extra steps compared to the classic cold boot attack, but it's effective against all the modern laptops we've tested," Segerdahl said in a written press statement. "And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it's the kind of thing an attacker will have plenty of time to execute."

Segerdahl and Saarinen developed a tool that could rewrite the mitigation settings in memory, which would disable memory overwriting and allow them to boot from an external device that could read the target system's memory. The researchers said cold boot attacks like this could be used to steal sensitive data like credentials or even encryption keys held in memory.

"It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out," Segerdahl said in a statement. "It's not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use."

The @fsecure cold boot technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet TPM, disabling sleep/hibernation and configuring bitlocker with a PIN. #protect #coldboot pic.twitter.com/VagpcBjkTG

— Jeff Jones (@securityjones) September 13, 2018

The researchers said cold boot attacks like this could provide a consistent way for threat actors to steal data, because it works across platforms. And although the researchers have shared their findings with Microsoft, Intel and Apple, mitigations are still a work in progress.

Apple claimed Macs with the T2 chip are immune to cold boot attacks, though this only includes the iMac Pro and 2018 MacBook Pro models. And the vendor suggested users with other Mac devices set a firmware password. Microsoft updated BitLocker guidance to help users protect sensitive information.