Cold boot attacks have been around since 2008 and involve stealing information stored on a computer that hasn’t been shutdown properly, or left in a vulnerable sleeping state. They rely on data being left in memory, which has been guarded against more recently by ensuring the contents of RAM is overwritten when powering a machine back up. However, security company F-Secure discovered that isn’t good enough.
If a hacker gains physical access to your laptop, then with the right tools even a fully-encrypted machine can be accessed and all the data stored on it stolen. You can see how this works in the video F-Secure produced below demonstrating the attack on real hardware.
As you can see, it is quite an involved process, but only takes a few minutes to achieve if you know what you’re doing. If a laptop has been stolen then the hacker has more than enough time to find a safe location and perform the attack. This new variation on the attack works by manipulating the firmware settings, overwrites the non-volatile memory chip that triggers the RAM content to be flushed, and allows booting from an external drive such as a USB stick.
Encryption keys and other sensitive information can then be stolen from memory and full access gained to the system. Most laptops are susceptible to such an attack, but the good news is you can prevent it from happening by taking the appropriate steps to leave your laptop in a safe state.
F-Secure advises everyone to always either shut down or hibernate their laptop, never just place it in sleep mode. Why hibernate instead of sleep? Because encryption keys aren’t stored in memory that way.
Security PIN entry on reboot is also a useful mitigation technique, and this can easily be enabled if, for example, you have Bitlocker installed. At the same time, Microsoft, Apple, and Intel are working on new ways to stop this attack from being possible, with Apple stating the T2 Chip used in its new laptops already contains security measures to counter cold boot attacks.