Everyone's quickly jumping in to post "physical access is not secure", while over there Apple have iPhones that appear to be almost completely secure against all but the most dedicated state-level attacks (and of course compromised accounts). We can do better, and should. Without compromising the freedom to change operating system.
Mind you we also need to keep pressing on security for the desktop, against ransomware and malicious installs. Again without compromising freedom of choice.
>Without compromising the freedom to change operating system.
Privacy, freedom, and security advocates seem to have opposing and wholly incompatible goals when it comes to technology.
This attack is possible because the NVRAM is overwriteable.
In order to mitigate this attack, you a manufacturer would need to make NVRAM non-NV or add an security device like Apple's T2 chip. Or encrypt the NVRAM and (to prevent a key management nightmare brought about by having millions of users) keep the keys private, in which case all of the haxxors would be crying "they're locking us out of our own hardware!"
But adding a security device attacks "freedom".
10 PRINT "Having the vulnerability is bad."
20 PRINT "But adding security attacks freedom."
30 GOTO 10
If all of these raging against the machine Zer0cools were highly paid security consultants in 1981 looking to stir up business by raging against some machines, they would have pilloried IBM for implementing their (pre) ISA bus and Commodore for allowing users to PEEK and POKE into random memory addresses. The former created the entire personal computing marketplace as we know it today, and the latter enabled millions of programmers to understand their machines and make them do things the designers never could have imagined.
There was a HN article a while ago about how manufacturers were dumb and we were all going to die because of Thunderbolt and PCIe security flaws where attackers could sniff traffic on the bus.
I was just like "no shit, you've been able to do that forever, that's the point of busses and locking them down will just speed the Applefication of computing".
Back in "THE GOOD OLD DAYS" when men were men and computers were free and open they had god damned card-edge connectors sticking out of the back of the case which gave anyone within arms reach of the machine direct and unrestricted access to the CPU lines.
It depends. For example, there is nothing that technically prevents adding 'add my own key' functionality to the Android phone bootloaders - that would allow user to unlock bootloader, install AOSP or any Android build of their choice, and then lock bootloader again. The fact we have no such function in bootloader is not rooted in some technical tradeoff between free and secure.
There are so many easier way to compromise the computers of 99% of the population that this particular flaw, while interesting, doesn't really appear all that critical to me. How many people (or even companies) bother to encrypt their hard drives these days? Not many in my experience. And for those who do how hard will it be to phish the credentials using basic social engineering?
If you're carrying nuclear codes then yeah, you should be worried about these attacks. If you're security officer for a small company then you probably have a long list of things to worry about before you have to consider cold boot vulnerabilities.
Furthermore if you're worried about an attacker having physical access to your computer what about simply installing a keylogger or a device that broadcasts your display for instance? That seems massively easier and faster to pull off than the attacks described here.
> If you're security officer for a small company then you probably have a long list of things to worry about before you have to consider cold boot vulnerabilities.
IPhones are probably vulnerable to cold boot too. It's just that cold boot attacks are absurdly difficult to execute. They only work if you already have physical access to an unlocked device before it powers down. If you shut off your machine and wait two seconds before walking away, you can never be cold-booted
Are you sure/can you provide sources? Given the substantial efforts law enforcement has been taking to get access to suspects' iPhones, this doesn't seem right.
I think you misread me. IPhones are almost certainly vulnerable to some kind of cold-boot attack, yes. That doesn't mean that it's easy to break into them. Cold-boot attacks are highly circumstantial.
If the San Bernadino terrorists shut down their phones before their murderous rampage, or if they ran out of battery before the FBI got into their house, sorry, no cold boot for you.
Cold boot only works if you have physical access to the unlocked, powered-on, in-use device. The "data ghost" in memory that cold boot attacks take advantage of is only there for seconds.
I guess I was confused by "If you shut off your machine", which is not the same thing as locking it.
If cold boot attacks only work against unlocked devices, that makes a lot of sense. But if they work against locked but powered devices, that would be quite possible for LE to exploit in most cases (just carry a battery pack).
It depends. Regular user in most of the world is pretty happy with $50-100 MTK-based chinaphone with 5.5" screen and 2GB of RAM - even with factory preinstalled trojans.
With all the talk I hear about "cache being the new RAM", since it's so much faster, particularly the L1, it sounds like it would make sense to have some transparent encryption going on. A random key generated at power on, then kept inside the CPU, and instantly lost at power off, would be enough to secure the contents of DIMMs against attacks like this.
There are things you can do to mitigate this problem, but once someone has physical access to a computer they have many pathways to gaining access to data and control.
The FBI have trouble compromising iphones despite having unlimited physical access so that isn't true in general.
What I'm worried about is closing these holes while preserving the ability to run whatever software I want.
And also preserving the ability to provide consistent instruction to people on how to install other operating systems. In other words if every laptop has a different magic keyboard sequence to bypass boot security it's going to be a pain to write the Debian install instructions.
That's true, but it's what encrypted filesystems are supposed to prevent. The lesson is that sleep/low power modes are not enough. You should be powering-off or hibernating any time the computer is not in use.
Unfortunately this is against many enterprise policies for desktops, because they like to apply updates during off-hours and need the computers to be on (or at least able to wake up from sleep) to do that.
For laptops, you should configure them to hibernate when the lid is closed, not just sleep.
If their slides are correct, then disabling boot from USB is enough. But then they state
> Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices
The phrasing is confusing in that had they find a way to switch 'boot from USB' BIOS setting 'using a simple tool'.
Not necessarily if you turn off your computer or use hibernation instead of sleep, AND you use full disk encryption. This will stop short-term attacks, like cold boot attacks and the like.
Of course, if they "borrow" your laptop for a while, opens it up, installing key loggers, modifying the firmware/hardware, and you do not notice this: you are f*ed.
I mean: even if you believe that "if someone has physical access to your computer, it's pretty much game over" you don't necessarily drop encryption and user password on the laptop and always put it in sleep mode.
As defined in the article: "when a computer is reset without following proper procedures (what’s known as a cold/hard reboot)"
Even if you disagree, "cold boot attack" is the established name for the actual attack, the new aspect presented here is how to circumvent a certain firmware protection that would overwrite the memory on a cold boot to prevent that attack.
If you would give your definition we could see if it is right, too.
Cold boot attack: An attack in which a running system is reset and information extracted from its memory that survived the reset. Seems like the article is using it correctly.
From a security standpoint, isn’t there a common understanding that if an attacker gains physical access to your computer, you already lost?
As a side note, there are so many vulnerabilities constantly coming out that I’ve almost became desensitized. I’m sure that’s not a good thing but it’s almost like “when” not “if” someone will just steal my data.
Not sure if anyone agrees or I’m just a one-off...
Some parts of a computer are easier to access than others. Like, it's quite easy to access the contents of a hard drive, but not so much some value stored in a particular register in the CPU. That's why it makes sense to encrypt data stored on a hard drive, but we expect the CPU to be able to handle plaintext securely.
Turns out, we should think of RAM more like a hard drive than like something internal to the CPU.
> isn’t there a common understanding that if an attacker gains physical access to your computer, you already lost?
I don‘t think so. It would mean that securing information in the workplace is nearly impossible and colocation hosting security intrusion boils down to picking a physical lock (of your rack).
So do y'all regularly dump liquid nitrogen on your computers after powering them off?
Last I checked, cold boot attacks have to be executed within moments of a computer powering down unless it's immediately put on ice. I don't understand why we're worried about this.
At first, I could not figure out why sleep mode was an issue, but I think the point is that a cold boot attack has to be performed within minutes of the shutdown, and it has to be a 'hard' (just cut the power) type of shutdown, not an orderly shutdown where the OS stops what's running and then instructs the hardware to shut down. An attacker who gets his hands on a computer in sleep mode is in a position to force a hard shutdown and immediate cold boot when he is ready.
Mind you we also need to keep pressing on security for the desktop, against ransomware and malicious installs. Again without compromising freedom of choice.