Almost 'All Modern Computers' Affected By Cold Boot Attack, Researchers Warn (cnet.com) 79
Security researchers have discovered a flaw with nearly all modern computers that allow potential hackers to steal sensitive information from your locked devices. CNET adds: The attack only takes about five minutes to pull off, if the hacker has physical access to the computer, F-Secure principal security consultant Olle Segerdahl said in a statement Thursday. Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot. These attacks have been known since 2008, and most computers today have a safety measure where it removes the data stored on RAM to prevent hackers from stealing sensitive information. It's also not a common threat for the average person, since both access to the computer and special tools -- like a program on a USB stick -- are needed to carry out the attack. But Segerdahl and researchers from F-Secure said they've found a way to disable that safety measure and extract data using cold boot attacks. [Further reading: ZDNet] "It takes some extra steps compared to the classic cold boot attack, but it's effective against all the modern laptops we've tested," he said in a statement. Per F-Secure, there is no patch to address the new vulnerability just yet. For now, the firm recommends that you make tweaks to your system settings so that your computer automatically shuts down or hibernates instead of entering sleep mode when you close your screen.
Re: Physical access to PC (Score:5, Informative)
It involves cooling the RAM chips with some kind of refrigerant spray. So yeah, you need the computer you do this with to be right in front of you and powered on and logged into at least once by some user with a key you want.
Full disk encryption is what this attack defeats. Full disk encryption is really ONLY useful to stop someone with physical control of the computer from accessing your data. Also, the details I read made this sound like a relatively easy attack to implement if you've prepped your work area reasonably. Consider that anyone doing this has already stolen a computer - perhaps by breaking into a home or business. Then they must have a computer with valuable enough data to bother going after it. They aren't going to be going after my pc, and probably not yours. Maybe a politician, banker, or someone with proprietary corporate secrets.. say a fortune 500 exec. For that kind of value as a target, this is a simple attack - compared to other attacks that might be used on high-value targets.
Re: (Score:1)
This attack does not defeat full disk encryption. It allows access to your encryption keys if and only if the hard drive is already unlocked.
Saying this is a vulnerability is like saying that all safes have a vulnerability that when they are unlocked, anyone with physical access to it can get everything that's inside and, moreover, they can also with special equipment get access to the tumblers to determine what the combination was and even change it.
This is not a "simple" attack. It requires basically ph
Re: Physical access to PC (Score:4, Informative)
You haven't considered the case of "suspend", which the summary mentioned. When a laptop is suspended (and I think most are when they're not in use), encrypted disks are unlocked. And desktops are often left on when not in use. I think the GP is accurate: this attack defeats full disk encryption for most users.
Re: (Score:2)
Again, you are ignoring the extremely common case of suspend. If the computer has been opened up after being suspended, it is fully logged in and running. That lock screen you see is just a UI. It is not indicative of the computer's state. (It would be possible to unmount encrypted storage during suspend, but I don't think any popular OS does that. Might as well just hibernate instead.)
Re: Physical access to PC (Score:2)
Any hardware disk encryption, and any use of a security module like a TPM chip, will keep the decryption key out of RAM even for the one minute the system may be vulnerable.
This is either incorrect or only partially correct. Hardware encrypted drives (at least the FIPS certified ones we use at work) are unlocked once and then remain unlocked as long as there is power to the system. Insert a USB stick, force a reboot, boot off the USB stick, and you have full access to the drive.
I'm not sure if the encryption keys are stored in RAM or in volatile memory on the drive itself, so sure, you may not be able to get the keys. But you can still clone the drive, so not having the key
Re: (Score:1)
This could be easily fixed if the BIOS wiped/tested the whole ram after reboot. If i remember correctly, it might be as easy as adding a small module to the bios.
Re: (Score:3)
So an extra-cold boot, then.
Why did I bother reading this? (Score:5, Informative)
Re: (Score:3)
We have known about this for over a decade and AMD systems are now immune.
AMD introduced encrypted RAM last year. RAM is encrypted with a random key generated at boot time with only 1-2% performance hit. Key cannot be recovered and is regenerated on reboot. In fact VMs can all have their own keys of you like.
Naturally cold boot attacks become useless on such systems.
Re: (Score:3, Interesting)
Only AMD Servers, EPYC CPUs. And those are what? 1% of systems?
Those servers are usually in datacenters or at least locked server rooms. They aren't at risk in any way here from cold boot attacks in a meaningful way.
The article writes about notebooks. No AMD notebook CPU anywhere encrypts its RAM. All AMD notebooks are vulnerable, just like all notebooks with CPUs from other vendors.
Re: (Score:2)
You need the SEV instruction/extensions specifically.
Re: (Score:2)
where is that key stored in a running system?
Re: (Score:3)
Secure part of the CPU that doesn't support read-back. The register is write only.
Re: (Score:3)
It is not a cold (re)boot anyway, it is ansarm boot.
In a cold boot power is disconnected from the main board and the ram loses all its data.
Kids in our days ...
Re: (Score:2)
I found VM part has been recently cracked though with technique called SEVered by researchers at Fraunhofer AISEC
Re: (Score:2)
Yeah, that is what basically every competent IT security person says and has been saying for years. This is just some people trying to grab attention.
Re: (Score:2)
If I have 5 min alone with system its mine.
This is why you bothered reading it. If you know how to defeat a full disk encryption of a locked but powered on computer to extract data in 5 minutes then chances are you learnt that by reading about attacks requiring physical access for 5 minutes.
Re: (Score:2)
Because with a locked disk-encrypted system, that's no longer true without this attack. Hasn't been for a long time.
Re: (Score:2)
How will you defeat hard disk encryption?
If they have physical access (Score:5, Insightful)
Re: (Score:2)
it's okay, i wrote them all in mirror-font.
Re: If they have physical access (Score:4, Funny)
Quadruple rot-13 for me. Just try to crack that!
Re: (Score:2)
It's a lot of work, but because of the exponentially increasing permutation span you're 26^4 = 456,976 times safer.
That's a lot. That many drops of water could fill a soccer field of congress.
Faster attack when you have physical access (Score:3)
Re:Faster attack when you have physical access (Score:5, Informative)
can't break some of the encrypted filesystems, so instead I recommend on-site penetration of the system with operator who knows the password and the $1 wrench from a dollar store. We found there is no need for the $5 wrench.
Re: (Score:2)
Re: (Score:2)
Even an encrypted hard drive can be cracked, it just takes time. And if I have the drive I can take as long as I want, hours, days, months, years, it just depends on what I think is on it and how much time I'm willing to invest.
All the computers in the world can't crack AES-128 in your lifetime.
Re: Faster attack when you have physical access (Score:1)
Pffft - it *could* guess right on the first try !
Re: (Score:2)
nonsense, cracking the neural net that can mount the filesystem is a trivial and quick application of intimidation and/or torture
Re: (Score:2)
Not very stealthy, though.
Re: (Score:2)
It was a drive failure! The mirror worked fine and it's back to two already.
Re: (Score:2)
Re: (Score:2)
Re: Faster attack when you have physical access (Score:2)
No. He has no clue what he's talking about. Sure, if your password is "qwerty123" I can decrypt your drive in a reasonable amount of time. If you have a decent password, though, it's going to take long enough that we will both be dead and buried well before my successors manage to unearth your porn stash.
Re: (Score:2)
Pull the hard drive, take home and decrypt at will
If you have the encryption key to the drive I assume you probably have all the other login details as well.
In other news... (Score:2)
Re: (Score:2)
Send a 'Drunken, tell off the boss' email from your biggest problem's desk. While they are at lunch, but late enough they could have come back looped.
Re: (Score:2)
What kind of fool doesn't know where the cameras are? What kind of hell hole are you working at?
Here: Boss would have called 'shenanigans', but played along for a little while, to get people to lock their desktops. Later that same day. Unless he found person actually drunk.
Very little info (Score:2)
Re: (Score:2)
Or at worst think their laptop rebooted for some reason.
And if it's Windows 10, there will be no suspicion at all.
Is this really a surprise for anyone? (Score:1)
If a hacker gains physical access... (Score:1)