Security firm F-Secure has discovered a new firmware security flaw that puts the data present in ‘nearly all’ modern PCs and Macs at risk. The report pointed out that this even affects the devices that come with disk encryption and malicious parties can use the attack to steal “sensitive data” in minutes. The company pointed out that none of the firmware-based security measures present in these devices “does a good enough job” to protect the important data. The important thing to note here is that both Windows and Mac users are at risk indicating that this flaw is not OS or ecosystem specific.
According to a detailed report by TechCrunch, the company pointed out that this new attack has been developed on the existing cold boot attack, something that is well known amongst hackers. For the uninitiated, this technique is a type of attack where a hacker with physical access to a computing device can get their hands on the encryption keys of the operating system running the device by ‘cold boot’ to restart the device. ‘Cold Boot’ is where the system starts from a powerless state.
Watch: Microsoft Surface Book 2 First Look
The report pointed out that the current generation of computers overwrite the system memory while shutting down the device to scramble the memory contents so that they can’t be read. But researchers have found a way to disable the overwriting process. This has enabled the cold boot attack where the hacker needs to disable the overwriting process, shut down the computing device, and then restart the device to get access to the encryption keys, and the sensitive data stored in the system.
Researchers pointed out that the attack “takes some extra steps” but the security flaw is “easy to exploit” to such an extent that they would be surprised if hacking groups are not already using the attack. This attack renders the disk encryption provided by BitLocker and FileVault useless in most cases. The report pointed out that it took researchers few hours to build a “proof-of-concept” tool to disable the memory overwriting in the firmware.
Once the memory overwriting was disabled, researchers scanned for disk encryption keys to mount the protected volume. This can allow a hacker to steal passwords, network credentials, and anything that is present in the memory. The report pointed out that Windows users using startup PIN with BitLocker and Mac users with the T2 chip are not affected by the cold boot attack.
However, both Microsoft and Apple minimized the risk while Intel had not issued any response. Microsoft added that users should prevent unauthorized physical access to their device”, while Apple was looking at measures to prevent this attack in Macs without the T2 chip. Researchers stated that Microsoft can’t do much about the situation as the problem lies in the firmware and not Windows itself.