[Closed] More IT security issues! Delete your secret data now!

The device would have to be compromised in the first instance, and then physically gained access to if I'm reading that right?

Yup, sounds to me like they'd need to have access to the system with the data they want still in memory, hack the firmware to stop memory being cleared, then restart and access the information...

That's why I think scaremongering.

Most thefts of laptops go the same way as phones. Don't bother trying to access anything, just wipe everything traceable and sell it (in the case of phones, they also instantly rip the sim out and chuck it). Quick cash is what they're after.

Looking at cold boot attacks, it seems like a pretty technical attack and the average thief is not going to go to that extent.

As MS say, Bitlocker you can enable the boot PIN, though it's a bit complicated for some reason  https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

Also, doesn't apply to Device Encryption in Windows which is a little different to Bitlocker. Simplified version basically so they can charge a premium for Bitlocker in Pro versions, though device encryption requires specific hardware spec. According to Wikipedia, includes measures to protect against cold boot attacks.

The device would have to be compromised in the first instance, and then physically gained access to if I’m reading that right?

Yeah seems to be, they need to get hold of the device, do whatever they need to do to stop it overwriting the memory, let the user, use it again and then get hold of it again to read the memory in a hope of finding the decrypt key. That's some Oceans 11, Mission Impossible shit.

I wonder if they can pull the same trick when the key comes from a secondary device like a Citrix fob

I wonder if they can pull the same trick when the key comes from a secondary device like a Citrix fob

Article is very light on details but it sounds like if the key gets read from the device then kept in memory then the answer is yes.

Curious why wiping the memory is done by the firmware and not by the OS prior to shutdown though.

This is why we use hardware encryption.

Just found this, not even sure if this is the same flaw! the "God Mode flaw":

https://techbeacon.com/microchip-god-mode-flaw-it-time-rethink-security

Yeah this would be incredibly hard to actually carry out. You first have to compromise the laptop so it no longer does a memory wipe on shutdown, you then have to steal the laptop and do a cold boot attack within a few minutes (even with freezing techniques) before the encryption key info in RAM decays.

I bet F-Secure will be quite happy to sell you a solution to a non existent problem that they "discovered" 😀

It's not scaremongering, as such.  These things get published so that the manufacturers fix them.  If the manufacturers didn't fix security flaws we'd all be in trouble.  You are Microsoft circa 1990 AICMFP

Can you still read any memory location at will using a firewire/thunderbolt port?

In this case though I suspect this is scaremongering in order for f-secure to sell a new product to scramble RAM on windows shutdown (before you hand back over to firmware).

Realistically this attack would be difficult enough to perform that the rubber hose attack would be the much simpler solution to get the secrets off the disk.

And also note on modern CPUs the RAM itself might be encrypted, so it doesnt matter if firmware blanks it or not.