The Chilling Reality of Cold Boot Attacks

Threats & Research

Reading time: 6 min
  • Blog post
  • Adam Pilkey
  • 2018
  • Detect and respond to attacks
Adam Pilkey



What do you do when you finish working with your laptop? Do you turn it off? Put it to sleep? Just close the lid and walk away?

Many people might not realize that what they do when leaving their laptop unattended, even a laptop with full disk encryption, can cause serious security headaches.

“Sleep mode is vulnerable mode,” says F-Secure Principal Security Consultant Olle Segerdahl.

Olle and his fellow cyber security consultant Pasi Saarinen recently discovered a new way to physically hack into PCs. According to their research, this method will work against nearly all modern computers. This includes laptops from some of the world’s biggest vendors like Dell, Lenovo, and even Apple.

And because these computers are everywhere, Olle and Pasi are sharing their research with companies like Microsoft, Apple and Intel, but also the public. The pair are presenting their research at the SEC-T conference in Sweden on September 13, and at Microsoft’s BlueHat v18 in the US on September 27.

You can watch the talk at SEC-T below to get all the details or read on if you want to know what all the fuss is about!

Basically, Olle and Pasi discovered a weakness in how computers protect firmware. The researchers say that attackers able to gain physical access to a targeted computer can exploit this weakness to perform a successful cold boot attack, allowing them to steal encryption keys and other sensitive information.

Cold boot attacks aren’t new. They were developed by a research group back in 2008. Those researchers found that when a computer is reset without following proper procedures (what’s known as a cold/hard reboot), they could steal information that briefly remains in the memory (RAM) after the device loses power.

Because cold boot attacks are nothing new, there have been developments to make them less effective. One safeguard created by the Trusted Computing Group (TCG) was to overwrite the contents of the RAM when the power was restored.

And that’s where Olle and Pasi’s research comes in. The two experts figured out a way to disable this overwrite feature by physically manipulating the computer’s hardware. Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.

Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk.


And it gets worse…

While cold boot attacks aren’t exactly simple to carry out and require the right tools, as well as physical access to the device, it’s a known technique amongst hackers. And since Olle and Pasi’s attack can be effective against nearly all modern laptops, it means hackers have a consistent, reliable way to compromise their targets.

“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” says Olle. “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”

And Olle thinks there’s no easy fix available to PC vendors, so it’s something companies and end users will have to deal with on their own.

…but it’s not all bad news

Olle and Pasi shared their research with Microsoft, Intel, and Apple. All three companies are exploring possible mitigation strategies they can provide. Olle and Pasi also helped Microsoft updated their guidance on Bitlocker countermeasures. And according to Apple, Macs equipped with an Apple T2 Chip contain security measures designed to protect devices from attacks like Olle and Pasi’s. Apple also recommends users set a firmware password to help harden Macs without a T2 chip.

In the end, Olle says it’s up to device manufacturers to strengthen the security of desktops and laptops to help protect them from attacks like these. But he also acknowledges this is not going to be easy. And it’s not going to be fast.

“When you think about all the different computers from all the different companies and combine that with the challenges of convincing people to update, it’s a really difficult problem to solve easily. It will take the kind of coordinated industry response that doesn’t happen overnight,” explains Olle. “In the meantime, companies will need to manage on their own.”

Companies will struggle to find a reliable way to prevent or block the cold boot attack once an attacker with the right know-how gets their hands on a laptop. But companies can configure laptops so that an attacker using a cold boot attack won’t find anything to steal.

Olle and Pasi recommend that IT departments configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their Bitlocker PIN whenever they power up or restore their computers. This is especially important for company executives (or other employees with access to sensitive info) and employees that travel (who are more likely to leave their laptops in hotel rooms, taxi cabs, restaurants, or airports).

An attacker could still perform a successful cold boot attack against machines configured like this. But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal.

Other security measures include raising awareness about the attack among companies and workers.

“Sometimes the most important way to tackle a security problem is to simply let people know it exists. A little awareness building can work wonders,” says Olle.

Finally, Olle advises companies to have an incident response plan ready and rehearsed to deal with lost or stolen computers.

“A quick response that invalidates access credentials will make stolen laptops less valuable to attackers. IT security and incident response teams should rehearse this scenario and make sure that the company’s workforce knows to notify IT immediately if a device is lost or stolen,” explains Olle. “Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case.”


Related posts

April 16, 2024

5 phases of a cyber attack: The attacker’s view

Cyber security is not something you do once and then you’re done. It is a continuous process that should be part of everything you do. However, no one has the resources to do everything perfectly. Thus, your goal should be constant improvement.

Read more
April 16, 2024

Of Cameras & Compromise: How IoT Could Dull Your Competitive Edge

The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.

Read more
April 16, 2024

How to decompile any Python binary

At WithSecure we often encounter binary payloads that are generated from compiled Python. These are usually generated with tools such as py2exe or PyInstaller to create a Windows executable.

Read more