The attack bypasses BIOS mitigations for cold-boot compromise on models from Apple, Dell, Lenovo and all others made in the last 10 years.
A pair of researchers have developed an attack method that can bypass mitigations for cold-boot attacks on laptops. A physical attacker can compromise a laptop that’s in sleep mode, potentially lifting sensitive passwords, encryption keys and other information.
The ramifications are, on the surface, vast – given that the attack will work on any laptop manufactured in the last decade, including models from Apple, Dell and Lenovo, and even if there’s full disk encryption on the device. However, putting the attack together is a rather involved process, which fortunately raises the barrier to exploitation.
Even so, “sleep mode is vulnerable mode,” said security consultant in a Thursday posting on the attack.
“It’s not exactly easy to do, but it’s not a hard-enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”
Cold Boot: A Chilling Attack
Cold-boot attacks were pioneered 10 years ago by researchers; they found that when a platform reboots or shuts down, there’s a short timeframe during which an attacker can turn off or reboot the platform, and quickly turn it back on to boot into a program that dumps the contents of memory. Thus, encryption keys and other secrets can be easily compromised.
SCS swiftly issued a fix, which has been implemented into computers wholesale ever since: On the next platform reboot, the BIOS simply overwrites the system memory with information unrelated to any secrets that may be exposed.
We have now discovered a way to disable this overwrite feature using a hardware-based attack that rewrites the memory chip that contains the settings, paving the way for cold-boot attacks to be carried out by booting a special program off a USB stick.
How-To: The Bypass Attack
To re-enable the original cold-boot attacks despite the TCG protections, the researchers used physical access to modify the system firmware/firmware settings.
“This lets us bypass the TCG memory overwrite mitigation and any password protected configuration options such as allowed external boot devices,”
To carry out the attack, an adversary would boot Windows with BitLocker (or steal a powered-on device) and then put the computer to sleep; he or she could then use physical access to set the NVRAM variable “MemoryOverwriteRequest” to zero (the NVRAM “BootOrder” variable can also be modified here to allow booting from external media, if necessary).
After a machine reset, the attacker would then boot from external media and use crafted software to scan the device’s memory for the BitLocker key. It’s then possible to boot Linux and use the open-source “dislocker” package to mount the BitLocker volume using the key, to read or modify any data on that protected volume.
Carrying this out requires a special tool for the physical access step, “which is basically any microcontroller – which can be used to interface to the SPI flash chip [using an SOIC-8 ‘chip-clip’ on the target motherboard],” “We used an Arduino Nano that we built from scratch to rewrite the NVRAM.”
Using this technique, any modern device using BitLocker can be unlocked by extracting AES keys from RAM, Even a device configured with pre-boot authentication is vulnerable if it’s found in a booted or sleep state.
But that’s not all: “Cold-boot attacks are a known method of obtaining encryption keys from devices (BitLocker, FileVault2, LUKS, etc.),” “But the reality is that attackers can get their hands on all kinds of information using these attacks.”
Passwords, credentials to corporate networks and any data stored on the machine is at risk.
“The obvious target is disk encryption keys since these give access to all information stored on the protected volume,” he said. “You can of course steal passwords from memory, but more likely you will be able to steal passwords and VPN credentials from the encrypted disk or plant a backdoor on the encrypted disk that allows you to log in and use the machine (including any configured VPN connections).”
There’s no easy fix available to vendors, and any coordinated response will take time So, the mitigations are mainly on the end-user side for now.
“Microsoft updated their guidance on BitLocker countermeasures,” he said. “And according to Apple, Macs equipped with an Apple T2 Chip contain security measures designed to protect devices from attacks like [ours]. Apple also recommends users set a firmware password to help harden Macs without a T2 chip.”
Interestingly, hibernating machines are not at risk.
“When a computer goes into hibernation, it moves everything from the RAM to the encrypted hard drive and securely deletes the encryption keys from memory,” “As there are no secrets left in the RAM, there is nothing for an attacker to steal. Laptops forced to hibernate/shut down after a certain period of time and require the BitLocker PIN to be entered when leaving hibernate (or powered on) are therefore going to be the most resilient to the attack.”
Companies, meanwhile, can configure laptops “so that an attacker using a cold-boot attack won’t find anything to steal,” he said. Mainly, this is done by IT, which can configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their Bitlocker PIN whenever they power up or restore their computers.
“An attacker could still perform a successful cold boot attack against machines configured like this. “But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So, there’s no valuable info for an attacker to steal.”