Slashdot Mirror

← Back to Stories (view on slashdot.org)

Almost 'All Modern Computers' Affected By Cold Boot Attack, Researchers Warn (cnet.com)

Posted by msmash on from the security-woes dept.

Security researchers have discovered a flaw with nearly all modern computers that allow potential hackers to steal sensitive information from your locked devices. CNET adds: The attack only takes about five minutes to pull off, if the hacker has physical access to the computer, F-Secure principal security consultant Olle Segerdahl said in a statement Thursday. Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot. These attacks have been known since 2008, and most computers today have a safety measure where it removes the data stored on RAM to prevent hackers from stealing sensitive information. It's also not a common threat for the average person, since both access to the computer and special tools -- like a program on a USB stick -- are needed to carry out the attack. But Segerdahl and researchers from F-Secure said they've found a way to disable that safety measure and extract data using cold boot attacks. [Further reading: ZDNet] "It takes some extra steps compared to the classic cold boot attack, but it's effective against all the modern laptops we've tested," he said in a statement. Per F-Secure, there is no patch to address the new vulnerability just yet. For now, the firm recommends that you make tweaks to your system settings so that your computer automatically shuts down or hibernates instead of entering sleep mode when you close your screen.

42 of 79 comments (clear)

  1. Why did I bother reading this? by zippo01 · · Score: 4, Informative

    If I have 5 min alone with system its mine. That is security the most basic security concept. "It only takes 5 min" I need less then that for most systems. Sigh. I dont understand how this is news.

    1. Re:Why did I bother reading this? by AmiMoJo · · Score: 2

      We have known about this for over a decade and AMD systems are now immune.

      AMD introduced encrypted RAM last year. RAM is encrypted with a random key generated at boot time with only 1-2% performance hit. Key cannot be recovered and is regenerated on reboot. In fact VMs can all have their own keys of you like.

      Naturally cold boot attacks become useless on such systems.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Why did I bother reading this? by klingens · · Score: 3, Interesting

      Only AMD Servers, EPYC CPUs. And those are what? 1% of systems?
      Those servers are usually in datacenters or at least locked server rooms. They aren't at risk in any way here from cold boot attacks in a meaningful way.

      The article writes about notebooks. No AMD notebook CPU anywhere encrypts its RAM. All AMD notebooks are vulnerable, just like all notebooks with CPUs from other vendors.

    3. Re:Why did I bother reading this? by iggymanz · · Score: 1

      where is that key stored in a running system?

    4. Re:Why did I bother reading this? by angel'o'sphere · · Score: 2

      It is not a cold (re)boot anyway, it is ansarm boot.
      In a cold boot power is disconnected from the main board and the ram loses all its data.

      Kids in our days ...

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    5. Re:Why did I bother reading this? by AmiMoJo · · Score: 2

      Secure part of the CPU that doesn't support read-back. The register is write only.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Why did I bother reading this? by gweihir · · Score: 1

      Yeah, that is what basically every competent IT security person says and has been saying for years. This is just some people trying to grab attention.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:Why did I bother reading this? by thegarbz · · Score: 1

      If I have 5 min alone with system its mine.

      This is why you bothered reading it. If you know how to defeat a full disk encryption of a locked but powered on computer to extract data in 5 minutes then chances are you learnt that by reading about attacks requiring physical access for 5 minutes.

    8. Re:Why did I bother reading this? by MikeBabcock · · Score: 1

      Because with a locked disk-encrypted system, that's no longer true without this attack. Hasn't been for a long time.

      --
      - Michael T. Babcock (Yes, I blog)
    9. Re:Why did I bother reading this? by iggymanz · · Score: 1

      I found VM part has been recently cracked though with technique called SEVered by researchers at Fraunhofer AISEC

    10. Re:Why did I bother reading this? by JThundley · · Score: 1

      How will you defeat hard disk encryption?

  2. If they have physical access by ocsibrm · · Score: 5, Insightful

    you are already screwed by a litany of other potential vectors. That's why physical access control is so important.

    1. Re: If they have physical access by cathector · · Score: 1

      it's okay, i wrote them all in mirror-font.

    2. Re: If they have physical access by Comrade+Ogilvy · · Score: 3, Funny

      Quadruple rot-13 for me. Just try to crack that!

    3. Re: If they have physical access by Falos · · Score: 1

      It's a lot of work, but because of the exponentially increasing permutation span you're 26^4 = 456,976 times safer.

      That's a lot. That many drops of water could fill a soccer field of congress.

  3. Faster attack when you have physical access by bob4u2c · · Score: 2

    Pull the hard drive, take home and decrypt at will. No known software or hardware patches have been released to fix this issue.

    1. Re:Faster attack when you have physical access by iggymanz · · Score: 4, Informative

      can't break some of the encrypted filesystems, so instead I recommend on-site penetration of the system with operator who knows the password and the $1 wrench from a dollar store. We found there is no need for the $5 wrench.

    2. Re:Faster attack when you have physical access by Calydor · · Score: 1

      Not very stealthy, though.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:Faster attack when you have physical access by bob4u2c · · Score: 1

      Most on-site systems (ie desktops) don't have encrypted hard drives. In companies that do encrypt the drive they almost always have physical restrictions in place. Even an encrypted hard drive can be cracked, it just takes time. And if I have the drive I can take as long as I want, hours, days, months, years, it just depends on what I think is on it and how much time I'm willing to invest. Now laptops are a different story, but if the IT team really cared about the data then you load the laptop to use a remote vpn connection back to a VM in a corporate data center, once the laptop is turned off (or taken in some case) the connection is cut and the thief has a generic laptop with no sensitive data. If you really wanted the laptop back you also load a phone home software that first finds the route out to some site like google, then e-mails that data back to some e-mail address on a regular basis. So now you can track down the ISP or locations it connects to the internet with and enlist the ISP or coffee shop in finding the thief. But yes, usually a $1 wrench works wonders in decrypting things.

    4. Re:Faster attack when you have physical access by HornWumpus · · Score: 1

      It was a drive failure! The mirror worked fine and it's back to two already.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    5. Re:Faster attack when you have physical access by Lost+Race · · Score: 1

      Even an encrypted hard drive can be cracked, it just takes time. And if I have the drive I can take as long as I want, hours, days, months, years, it just depends on what I think is on it and how much time I'm willing to invest.

      All the computers in the world can't crack AES-128 in your lifetime.

    6. Re: Faster attack when you have physical access by Anonymous Coward · · Score: 1

      Pffft - it *could* guess right on the first try !

    7. Re:Faster attack when you have physical access by mark-t · · Score: 1

      Locking the case closed comes to mind as one preventative measure.

      --
      File under 'M' for 'Manic ranting'
    8. Re:Faster attack when you have physical access by phantomfive · · Score: 1

      Is it really that easy to decrypt a hard drive?

      --
      "First they came for the slanderers and i said nothing."
    9. Re: Faster attack when you have physical access by c6gunner · · Score: 1

      No. He has no clue what he's talking about. Sure, if your password is "qwerty123" I can decrypt your drive in a reasonable amount of time. If you have a decent password, though, it's going to take long enough that we will both be dead and buried well before my successors manage to unearth your porn stash.

    10. Re:Faster attack when you have physical access by thegarbz · · Score: 1

      Pull the hard drive, take home and decrypt at will

      If you have the encryption key to the drive I assume you probably have all the other login details as well.

    11. Re:Faster attack when you have physical access by iggymanz · · Score: 1

      nonsense, cracking the neural net that can mount the filesystem is a trivial and quick application of intimidation and/or torture

  4. In other news... by tomxor · · Score: 1

    ... When doused in petrol and lit on fire, all computers BURN. Thanks captain fucking obvious.

  5. Very little info by Thyamine · · Score: 1

    There is really almost no info here, so not much of an article. I suppose it is implying that you can do this attack when someone walks away, and when they return they are none the wiser. Or at worst think their laptop rebooted for some reason.

    --
    I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
    1. Re:Very little info by omnichad · · Score: 1

      Or at worst think their laptop rebooted for some reason.

      And if it's Windows 10, there will be no suspicion at all.

  6. Re: Physical access to PC by kelemvor4 · · Score: 5, Informative

    It involves cooling the RAM chips with some kind of refrigerant spray. So yeah, you need the computer you do this with to be right in front of you and powered on and logged into at least once by some user with a key you want.

    Full disk encryption is what this attack defeats. Full disk encryption is really ONLY useful to stop someone with physical control of the computer from accessing your data. Also, the details I read made this sound like a relatively easy attack to implement if you've prepped your work area reasonably. Consider that anyone doing this has already stolen a computer - perhaps by breaking into a home or business. Then they must have a computer with valuable enough data to bother going after it. They aren't going to be going after my pc, and probably not yours. Maybe a politician, banker, or someone with proprietary corporate secrets.. say a fortune 500 exec. For that kind of value as a target, this is a simple attack - compared to other attacks that might be used on high-value targets.

  7. Re:I always just shut down by HornWumpus · · Score: 1

    Send a 'Drunken, tell off the boss' email from your biggest problem's desk. While they are at lunch, but late enough they could have come back looped.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  8. Re: Physical access to PC by omnichad · · Score: 2

    So an extra-cold boot, then.

  9. Re: Physical access to PC by Excelcia · · Score: 1

    This attack does not defeat full disk encryption. It allows access to your encryption keys if and only if the hard drive is already unlocked.

    Saying this is a vulnerability is like saying that all safes have a vulnerability that when they are unlocked, anyone with physical access to it can get everything that's inside and, moreover, they can also with special equipment get access to the tumblers to determine what the combination was and even change it.

    This is not a "simple" attack. It requires basically physically stealing the computer after it has been booted up and the encryption key password entered. So it's really a special case of rubber hose cryptography (threatening the person until they give up a password).

    To protect yourself from this "vulnerability" you simply need to ensure that when you stop using the safe that you close it and lock it. Or, in other words, turn off your computer. Modern RAM will be degraded to the point where the key is unusable after about five seconds.

  10. Re:How come I have it on my Ryzen 3 2200G then? by WorBlux · · Score: 1

    You need the SEV instruction/extensions specifically.

  11. Re: Physical access to PC by BenJohnsonZdfjhu · · Score: 1

    This could be easily fixed if the BIOS wiped/tested the whole ram after reboot. If i remember correctly, it might be as easy as adding a small module to the bios.

  12. Re: Physical access to PC by c6gunner · · Score: 1

    Any hardware disk encryption, and any use of a security module like a TPM chip, will keep the decryption key out of RAM even for the one minute the system may be vulnerable.

    This is either incorrect or only partially correct. Hardware encrypted drives (at least the FIPS certified ones we use at work) are unlocked once and then remain unlocked as long as there is power to the system. Insert a USB stick, force a reboot, boot off the USB stick, and you have full access to the drive.

    I'm not sure if the encryption keys are stored in RAM or in volatile memory on the drive itself, so sure, you may not be able to get the keys. But you can still clone the drive, so not having the keys is pretty irrelevant.

    Long story short: even with hardware encryption, shut the damn thing down when you're not using it.

  13. Re:I always just shut down by HornWumpus · · Score: 1

    What kind of fool doesn't know where the cameras are? What kind of hell hole are you working at?

    Here: Boss would have called 'shenanigans', but played along for a little while, to get people to lock their desktops. Later that same day. Unless he found person actually drunk.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  14. Re: Physical access to PC by piojo · · Score: 3, Informative

    You haven't considered the case of "suspend", which the summary mentioned. When a laptop is suspended (and I think most are when they're not in use), encrypted disks are unlocked. And desktops are often left on when not in use. I think the GP is accurate: this attack defeats full disk encryption for most users.

    --
    A cat can't teach a dog to bark.
  15. Is this really a surprise for anyone? by Aromipesa · · Score: 1

    There really is no way to protect yourself if you let someone have 5 minutes alone with your system especially while it's still on.

  16. If a hacker gains physical access... by BoFo · · Score: 1

    all bets are off.

  17. Re: Physical access to PC by piojo · · Score: 1

    Again, you are ignoring the extremely common case of suspend. If the computer has been opened up after being suspended, it is fully logged in and running. That lock screen you see is just a UI. It is not indicative of the computer's state. (It would be possible to unmount encrypted storage during suspend, but I don't think any popular OS does that. Might as well just hibernate instead.)

    --
    A cat can't teach a dog to bark.