Security researchers from cybersecurity provider F-Secure discovered vulnerabilities in modern computers that allow hackers to steal encryption keys and other sensitive data.
According to Olle Segerdahl, a cybersecurity consultant at F-Secure, a firmware weakness in modern computers and laptops exposes encryption keys that can be used by hackers to steal sensitive information. The researcher also stated that the present security measures are not sufficient to protect data on lost or stolen laptops.
“Typically, organizations aren’t prepared to protect themselves from an attacker that has physical possession of a company computer. And when you have a security issue found in devices from major PC vendors, like the weakness my team has learned to exploit, you need to assume that a lot of companies have a weak link in their security that they’re not fully aware of or prepared to deal with,” said Segerdahl.
Olle Segerdahl stated that an attacker needs physical access to exploit the vulnerabilities in the systems to perform a cold boot attack that involves rebooting a computer without following a proper shutdown process, then recovering data that remain briefly accessible in the RAM.
“It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested. And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute,” explained Segerdahl. “Because this attack works against the kind of laptops used by companies, there’s no reliable way for organizations to know their data is safe if a computer goes missing. And since 99 percent of company laptops will contain things like access credentials for corporate networks, it gives attackers a consistent, reliable way to compromise corporate targets.”
Olle Segerdahl has shared his research findings with Intel, Microsoft, and Apple to help the PC industry improve the security measures of current and future products. He also recommended companies to prepare themselves to address the cyber issues. “There’s no easy fix for this issue either, so it’s a risk that companies are going to have to address on their own,” Segerdahl added.