The first cold-boot attack was developed a decade ago.
Look at that laptop over there, lid closed and sleeping soundly.
The attack works against nearly all Macs and Windows PCs and requires several minutes of physical access to a machine left in sleep mode, which maintains enough power to keep data from the most recent active session "alive" in system memory.
All cold boot attacks require physical access and special hardware tooling to perform, and are generally not considered a threat vector for normal users, but only for computers storing highly-sensitive information, or for high-value individuals such as government officials or businessmen.More news: Experts disagree on whether Dallas officer could be credible
One of the protection measures deployed by the hardware manufacturer is overwriting the contents of the RAM after the cold boot attacked computer is switched on.
The specification is called TCG Reset Attack Mitigation or MORLock (Memory Overwrite Request Control). F-Secure's Olle Segerdahl and Pasi Saarinen found a way to rewrite the non-volatile memory chip that contains the security settings, thus disabling memory overwriting. This new attack is used to grab the encryption keys from memory, which then allows them to gain access to the data stored on your encrypted drives.
F-Secure advises everyone to always either shut down or hibernate their laptop, never just place it in sleep mode.
"Typically, organisations aren't prepared to protect themselves from an attacker that has physical possession of a company computer", said F-Secure principal security consultant Olle Segerdahl.
Microsoft said it's updated its software to stop the attack.More news: Police investigating after needles found in Australian strawberries
"It's not exactly the kind of thing that attackers looking for easy targets will use", Segerdahl said. It is possible to, while a stolen machine is still in sleep mode, reprogram the firmware's settings to disable this memory zero'ing, and then reboot it into a custom operating system on a USB stick or similar that then scans the RAM for any sensitive information.
"Encryption keys aren't stored in the RAM when a machine hibernates or shuts down". Mixing pre-boot authentication in makes the defense even stronger.
Apple told TechCrunch that it is working on "measures to protect Macs that don't come with [a] T2 chip", which have a new level of security that fully prevents this type of attack. A full set of countermeasures is available here. Sweden, and will be presented again September 27 at the BlueHat security conference on the Microsoft main campus in Redmond, Washington.
Apple responded by pointing to the latest generation of Macs, which have the T2 chip that do the encryption separately from the CPU and makes such an attack more hard to execute.More news: Hurricanes Isaac and Florence continue to pose problems for Caribbean countries