Sunday, 21 April 2019
Latest news
Main » Secure finds firmware weakness in laptops

Secure finds firmware weakness in laptops

16 September 2018

Security researchers will detail today a new variation of a cold boot attack that can meddle with a computer's firmware to disable security measures and allow an attacker to recover sensitive data stored on that computer, such as passwords, corporate files, and more.

The attack only takes about five minutes to pull off, if the hacker has physical access to the computer, F-Secure principal security consultant Olle Segerdahl said in a statement. "And when you have a security issue found in devices from major PC vendors, like the weakness my team has learned to exploit, you need to assume that a lot of companies have a weak link in their security that they're not fully aware of or prepared to deal with".

Even if your computer's disk is encrypted with Microsoft BitLocker or Apple's FileVault, an attacker could perform this new type of cold-boot attack and search your RAM for the disk-encryption keys.

Cold-boot attacks were first developed a decade ago, and computer manufacturers now include a memory-overwrite process that, in theory, thwarts any memory-access attempt.

Modern laptops overwrite RAM specifically to prevent attackers from using this method to steal data.

"The attack exploits the fact that the firmware settings governing the behaviour of the boot process are not protected against manipulation by a physical attacker", F-Secure wrote in a blog post.

"It takes some extra steps compared to the classic cold boot attack, but it's effective against all the modern laptops they've tested".

"It's not exactly the kind of thing that attackers looking for easy targets will use", Segerdahl said.

But the F-Secure researchers found a way to bypass that memory overwrite by additionally attacking the BIOS/UEFI firmware that boots the machine and overwrites the memory. Freezing the RAM chips, though, helps preserve the data during this time, allowing booting into a live operating system from a USB stick. "But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use", he added.

Plan ahead: "A quick response that invalidates access credentials will make stolen laptops less valuable to attackers". "There's no easy fix for this issue either, so it's a risk that companies are going to have to address on their own".

F-Secure shared its research with Microsoft, Intel, and Apple.

In the meantime, Olle and Pasi recommend that system administrators and IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their computers. "This is especially important for company executives (or other employees with access to sensitive info) and employees that travel (who are more likely to leave their laptops in hotel rooms, taxi cabs, restaurants, or airports)".