According to security firm F-Secure, nearly every computer is vulnerable to this type of attack. This type of side-channel compromise require physical access to the computer and this makes it practical against high-value targets rather than regular users.
These attacks have been known since 2008, and most computers today have a safety measure where it removes the data stored on RAM to prevent hackers from stealing sensitive information.
Finnish cyber-security company F-Secure have discovered a flaw with almost all modern desktops and latops that allow hackers to potentially steal sensitive information from your locked devices.
But the F-Secure researchers found a way to bypass that memory overwrite by additionally attacking the BIOS/UEFI firmware that boots the machine and overwrites the memory. They claim to have found a firmware vulnerability that can potentially let hackers with physical access to a computer turn off data overwriting.
You can see the process in the video below.
Relying on computer memory's remanence behavior, security researchers figured out a way to extract sensitive data from RAM, such as encryption keys, even after the loss of power. It added, "Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices". The cold boot attack can then be carried out by booting a special program off a USB stick.
"It's not exactly easy to do, but it's not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out", said F-Secure Principal Security Consultant Olle Segerdahl, one of the researchers.
Modern laptops overwrite RAM specifically to prevent attackers from using this method to steal data.
The research has been shared with Intel, Microsoft and Apple to help the industry improve the security of current and future products.
F-Secure's researchers presented their findings at a conference in Sweden on Thursday, and are set to present it again at Microsoft's security conference on September 27. However, security company F-Secure discovered that isn't good enough.
Their attack works on computers in sleep mode, since shut down and hibernation actions cut off the power, and cause the residual memory to quickly degrade beyond recovery. One way is to configure laptops to automatically shut down/hibernate instead of enter sleep mode and require users to enter the Bitlocker PIN anytime Windows boots up or restores. Educating workers, especially executives and employees who travel, about cold boot attacks and similar threats is also important.
The researchers said that they have warned major companies such as Microsoft, Apple, and Intel about their latest findings.