The cybersecurity industry is all abuzz over a recently discovered and very scary exploit, a new devastating Cold Boot vulnerability. Cold Boot attacks occur when sensitive data is available for cyber attackers to copy from a computer’s RAM because the machine wasn’t shut down properly, such as through an ACPI cold boot or hard shut down after the system powers off. Now a new cold boot exploit has been found and people are understandably concerned. There’s good news and bad news about it.
Don’t you want to read the good news first? Here it is. Cold Boot attacks have been largely prevented through security hardening since their initial discovery in 2008. Most PCs that OEMs have produced since then are careful to remove data from RAM during the shutdown process. And in order for a cyber attacker to exploit this recently discovered Cold Boot vulnerability, they need physical access to the target machine and about five minutes to perform the attack. So this attack cannot be conducted over the internet and the cyber attacker can’t do it instantaneously. There’s a bit of a time window to catch them in the process.
Now’s the time for me to be a Debbie Downer. Here’s the bad news. This newly discovered vulnerability affects the majority of PCs, including those produced after 2008. It even affects PCs that have been produced this year. Most modern laptops are vulnerable, including models from Lenovo, Dell, and even Apple. Laptops from HP, Toshiba, Sony, and many other popular OEMs are probably affected too. The only recent MacBooks and iMacs that are safe from the recently discovered exploit are those with a T2 chip. According to Apple, iMac Pros and MacBook Pros from 2018 have the T2 chip. If your Apple Mac model doesn’t have “Pro” in its name, or if it does have “Pro” in its name but it predates 2018, it’s probably still Cold Boot vulnerable. The data that a cyber attacker can acquire from an affected Windows OEM or Mac’s RAM could contain very, very sensitive information, such as authentication data and cryptographic keys – even if you encrypt your hard drive through your operating system. That sort of data can be used by a cyber attacker to help establish administrative access to your computer and possibly to your local network as well. There are many possibilities for destruction if that sort of data falls into the wrong hands. A cyber attacker can acquire the data with physical access to your machine if you put it into sleep mode. Only a total shut down or hibernate may be safe. The security hardening performed since 2008 really only works reliably if a total shutdown or hibernate is performed. That’s the big, scary news in a nutshell.
“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out. It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”
Security hardening against this exploit is going to be really tricky, a major uphill battle. There’s no patch so far. Segerdahl added:
“When you think about all the different computers from all the different companies and combine that with the challenges of convincing people to update, it’s a really difficult problem to solve easily. It will take the kind of coordinated industry response that doesn’t happen overnight. In the meantime, companies will need to manage on their own.”
Until a patch can be deployed, security researchers recommend that all affected PCs be put into hibernate or shut down when unattended by the user. Windows users should be required to enter their BitLocker PIN when they boot or restart their PCs. Microsoft has a page with a list of BitLocker countermeasures that can be deployed to make Windows PCs a little more secure.
Olle Segerdahl presented these worrisome findings during a Swedish conference on September 13th. More information may be presented at Microsoft’s security conference on September 27th.