Security researchers will detail today a new variation of a cold boot attack that can meddle with a computer's firmware to disable security measures and allow an attacker to recover sensitive data stored on that computer, such as passwords, corporate files, and more.
The attack, which is presented today at a security conference, is a variation of old cold boot attacks, known for nearly a decade.
Cold boot attacks are when an attacker forces a computer reset/reboot and then steals any data left over in the RAM.
All cold boot attacks require physical access and special hardware tooling to perform, and are generally not considered a threat vector for normal users, but only for computers storing highly-sensitive information, or for high-value individuals such as government officials or businessmen.
Over the years, OS makers and hardware vendors have shipped various security measures to reduce the impact of cold boot attacks, even if they happen. One of these protections was that computers would overwrite the contents of the RAM when power was restored after a cold boot.
But security researchers from Finnish cyber-security firm F-Secure discovered that they could disable this feature by modifying firmware settings and steal data from a computer's RAM after a cold reboot.
Just like all previous cold boot attacks, their method requires physical access and a special tool to extract leftover RAM. A video of one of the researchers performing their variant of the attack is embedded below.
"It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out," said F-Secure Principal Security Consultant Olle Segerdahl, one of the researchers.
"It's not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use," he added.
The two researchers say this method will work against nearly all modern computers. They have already notified Microsoft, Intel, and Apple of their findings.
In the meantime, Olle and Pasi recommend that system administrators and IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their computers.
The two say cold boot attacks --such as their variation-- will continue to work, but by encrypting the hard drive via BitLocker or another similar system, this limits the amount of data an attacker can recover.
"Encryption keys aren't stored in the RAM when a machine hibernates or shuts down. So there's no valuable info for an attacker to steal," F-Secure said in a press release today.