Cold boot attack can expose encryption keys, data on laptops

Security researchers at F-Secure have uncovered a decade-old attack that exploits firmware weaknesses in laptops to expose encryption keys and sensitive data. 

Many enterprises deploy whole disk encryption to protect data stored on laptops, in case the devices are lost or stolen. 

The attack dubbed Cold boot requires physical access by the attacker, but F-Secure security experts warn PC vendors that current security safeguards are not sufficient to protect data stored on lost or stolen laptops. 

F-Secure describes the Cold boot attack: 

“The weakness allows attackers with physical access to a computer to perform a cold boot attack – an attack that’s been known to hackers since 2008. Cold boot attacks involve rebooting a computer without following a proper shutdown process, then recovering data that remains briefly accessible in the RAM after the power is lost.

“Modern laptops now overwrite RAM specifically to prevent attackers from using cold boot attacks to steal data. However, Segerdahl and his team discovered a way to disable the overwrite process and re-enable the decade- old cold boot attack.”

F-Secure says that there are “no easy fixes” for the issues, but the research has been shared with Intel, Microsoft and Apple to help improve the security of vendor products. 

The company also recommends organizations have a solid incident response plan for when devices are lost or stolen.

For instance, IT departments should invalidate access credentials for users who have lost their laptops. Users should also report incidents of lost/stolen laptops as soon as possible. 

“Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case,” said security consultant Olle Segerdahl from F-Secure.