The Cold Book Attack was resurrected last week by some researchers at f-secure https://press.f-secure.com/2018/09/13/firmware-weakness-in-modern-laptops-exposes-encryption-keys/ . I would like to provide some context for both the exploit and the mitigations because the cold boot attack is just the tip of the iceberg. But first, if you don’t want to know the details, there are steps that organizations can take to protect against Cold Boot attacks on PC’s and Macs when using SecureDoc including:
- Ensure pre-boot authentication (PBA) is on (Do not use static auto-boot).
- Disable sleep and force computers to shut down or hibernate before leaving a laptop unattended.
Now to the context; from https://en.wikipedia.org/wiki/Cold_boot_attack, “In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.”
The Cold Boot attack is an old attack going back a decade or more. I know because it was already a known attack when we wrote a paper on how to protect against a variant, the Cooled Ram attack, was published in 2008. Microsoft have said the Cooled RAM attack is not relevant anymore because it is too difficult to remove memory chips in modern computers to access the contents which remain intact longer when cooled. Similarly, the Cold Boot attack, at Microsoft’s prompting, was addressed in the computers BIOS to plug the hole for BitLocker. A modern computer that uses BitLocker and is configured to TPM-Autoboot ,as Microsoft promotes for usability, will have the keys automatically loaded into memory without user authentication if an attacker finds it, and just turns it on. The well-known historical Cold Boot attack was for the attacker to boot into a USB memory stick by causing a power reset and then scrape the BitLocker keys from the memory (the memory still has the keys because of the data remanence property of DRAM and SRAM that memory contents that remain readable in the seconds to minutes after power has been removed). To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request). With this BIOS feature on, if Windows crashes or shuts down abnormally, or is platform reset with the BitLocker keys still in memory, the BIOS will overwrite the keys before allowing the USB to boot. That way they will not be in memory for the attacker’s software to find them.
The problem is that the f-secure exploit disables that protection: “The attack exploits the fact that the firmware settings governing the behavior of the boot process are not protected against manipulation by a physical attacker. Using a simple hardware tool, an attacker can rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. The cold boot attack can then be carried out by booting a special program off a USB stick.”
In short the Cold Boot Attack is Back!
In my view the core of the problem is NOT the firmware and hardware platforms’ implementation of the TCG Reset Attack Mitigation, but the very idea that keys be loaded automatically into memory without authentication. This new attack is just more proof that Microsoft’s argument that PBA is not needed on modern computers because all the holes have been plugged is erroneous. Once the key is in memory, the security of the system is reliant on the operating environment which includes the OS, OS-present software, firmware and hardware which is a huge attack surface, and provides orders of magnitude less protection than an encrypted system with proper PBA in place.
Unlike BitLocker, user-based pre-boot authentication has been baked into SecureDoc from the very beginning. There is no undue impact on usability or operational costs like there is to enable device PIN authentication in BitLocker. In fact, with SecureDoc managing BitLocker encryption, organizations can continue to use BitLocker but get the compliance and security benefits of user-based PBA.