A New Form of Cold Boot Attacks

By Robert Gray:

Security researchers at F-Secure have developed a new method to extract encryption keys or other sensitive data in memory from a laptop in sleep mode if an attacker can gain physical access to it.

A quick explanation of how this type of cold boot attack works.

A “cold reboot” occurs when a computer is improperly shut down.  When that happens, the contents of the system RAM briefly remain after power is lost and might be readable when the system boots back up.  In response to this security issue, computer manufacturers programmed the BIOS to overwrite the RAM early in the boot process.  This new issue comes in how this fix was implemented.  The BIOS stores a value in flash storage to determine whether it needs to wipe the RAM on the next boot, but that value can be set by the operating system or through hardware tweaking.  An attacker can then boot the system from a USB drive and read the contents of memory.

This attack is theoretically possible against any Windows-based computer or any Apple computer released prior to 2018 that an attacker can gain physical access to.  Microsoft’s current recommendation is for anyone using encryption to use Hibernate mode instead of Suspend mode for keeping a laptop in sleep, as Hibernate wipes any encryption keys from RAM.  A more complete fix will require hardware and BIOS changes and likely will not be available for a while.