Many people assume that if they use full disk encryption on their laptops, the information is going to stay safe. Even if the device falls into the wrong hands. But two F-Secure security consultants sent chills down the spines of CISOs, PC vendors and the security community a few weeks ago when they revealed a flaw in modern computers that exposes them to cold boot attacks.
Here’s F-Secure’s Olle Segerdahl and Pasi Saarinen exploiting the flaw during a live demonstration at SEC-T in Sweden.Download Poster
“Sleep mode is vulnerable mode,” is Olle’s advice.
When a computer goes to sleep, information stays in the random-access memory (RAM), including sensitive information like encryption keys. A successful cold boot attack could see an adversary extract this information from a sleeping computer.
Once an attacker has encryption keys, it’s only a matter of time until they hack their way into the device. And for many organizations, this puts information like account credentials at risk, giving attackers the keys to the proverbial kingdom.
Hibernation + pre-boot authentication is the best protection against cold boot attacks. No keys in memory to steal!
— email@example.com (@nxsolle) September 4, 2018
According to Olle and Pasi, the best defense against this is to configure devices to require pre-boot authentication (entering a password or PIN to decrypt the device’s hard drive before the operating system loads), and then fully power down devices when you’re not using them. Companies should implement this advice by configuring their computers to hibernate after a period of inactivity and require the pre-boot password or PIN to be entered when starting the device. Microsoft has provided updated guidance on this issue here.
Where in the World is Hibernate Mode?
There’s some caveats before you rush out and try to follow Olle’s advice. For starters, the home edition of Windows 10 doesn’t have an option to set a Bitlocker PIN. Anyone that thinks a hacker might physically steal their personal laptop to steal data should upgrade to Windows 10 Pro.
But the main concern is if organizations will make the effort to protect their laptops from these attacks.
“This mitigation actually requires that you have an IT department that’s aware of this issue and a business that can actually take the decision to inconvenience users with having to remember yet another password to be able to boot up the machine, right? And for, for these reasons, that it inconveniences users and that you actually have to have to have an IT department that manages devices actively, this is probably only going to happen in a corporate environment with high security requirements, let’s put it that way,” Olle told Cyber Security Sauna host Janne Kauhanen.
F-Secure Security Advisor Sean Sullivan thinks that companies should follow F-Secure’s example by configuring laptops to include hibernate as a shut down option so that employees know it’s available. Information on how to do this is available on Microsoft’s website.
“Hibernate isn’t actually a default option in Windows 10’s shut down menu. Power users might figure out how to use it, but I doubt your average business traveler will know,” says Sean. “Olle’s research prompted our CISO’s office and IT department to evaluate our laptops default power settings and improve them. It’s the kind of small proactive change that can contribute to better security hygiene without causing much inconvenience, so we recommend other companies do the same with their own laptops, especially for organizations with employees that frequently travel with their work computers.”
Olle also recommends organizations have an incident response plan to address lost/stolen devices, and inform employees how to keep their laptops physically secure (see F-Secures’ Guide to Evil Maid Attacks for more information on protecting laptops from physical attacks).