How your laptop can be hacked at the Airport
Even leaving your laptop unattended for a few minutes without properly powering it off can create a potential danger to stored data.
It is commonly and generally an inevitable part of human nature to underrate the overall security measures related to our own technological devices.
As there is a hacker attacking every 39 seconds, the chances are you might as well get hacked and re-think your laptop's security.
Here's a real scenario. Did you finish up the work on your laptop while you were waiting for your gate at the airport to be opened? I bet you do not remember the state of your laptop when you closed the lid to rush up to the que or get to the security screening, as, of course, you don't want to miss the flight.
If the answer is that you put it on the Sleep Mode, then embrace yourself because some nightmares are about to come!
What is Cold Boot Attacks
Cold boot attacks are nothing new for the malicious intended ones and have been around since 2008. Maybe earlier than that. These types of side-channel attacks take advantage of the improper power off-s of the laptops, which can potentially cause harm to you and your laptop.
It is no legitimate forensics, but all kinds of information, including passwords and credentials (check our 25 best password managers), encryption keys, or any sensitive data stored, are at risk through these attacks.
Let's start with the RAM. Regardless of what we have been taught, this memory still has the power to hold the data for some seconds after the laptop is switched off due to the lack of electricity supply or improper shutdown.
These are valuable seconds for a malicious intended though, as, with the right tools, this is the time they perform the Cold Boot attack.
How the attack is performed
A simple infogram of the steps required to perform a successful cold boot attack is shown below:
- During the first phase, the attackers have your laptop in their hands, taking advantage of the unattendance.
- Then, they use the trick of spraying a substance (possibly Nitrogen Liquid), which will lower the RAM's temperature and extend its time for holding the data. After that, BIOS changes are made, so the boot from the external device, commonly being a USB stick, is possible.
- During the third phase, the bootable USB is inserted. Inside it, a lightweight Operation system is installed, which uses autorun files to proceed quickly. The computer is cold booted forcibly (as the power switch is pressed), the processor does not have time to dismount encryption keys, and since the BIOS settings are changed, the USB's OS is quickly loaded.
- In the last phase, the OS's USB processes are quickly autorun. Their primary purpose is to extract all the data they can find stored on the RAM.
This real attack scenario could potentially happen anywhere as long as your laptop remains unattained for some amount of time. Airport screening is one of these perfect scenarios, leaving room for this attack, as it is one of the few places we are demanded to stay away from our laptops for security checks.
Leaving your laptop on Sleep Mode
Sleep Mode
It requires so little effort to put our laptop on Sleep Mode and get back to our files later quickly. We just need to close the lid (on most laptops), and this mode will be activated. We are used to this method, as its benefits make our Windows work faster and easier, especially when in public places, such as an airport.
But what happens during this mode?
During Sleep, every data and application accessed on power time is temporarily paused but certainly not gone.
Easy and instant access to these applications is possible during the Wake or power on time of the laptop while getting back to work. All this data is automatically stored on the volatile memory we call RAM, or the Random Access Memory. So, in short words, we get back to the work we put on pause very quickly, needing just a simple click on a button.
It is common for some people to mess up the modes the laptop can be put on. Sometimes you might want to activate the "Hibernation" while mistakenly selecting the Sleep Mode, thinking they have no significant differences in between.
Sleep vs. Hibernation
There are huge differences between the Sleep and Hibernation mode, a selection of which could be either a protection measure or make your device more vulnerable to certain types of attacks. One of these could be the Cold Boot attack, which we will discuss later.
On Sleep Mode, everything is shut down except the RAM, which is temporarily storing the data we were working on. Meanwhile, everything, including the RAM, is powered off during hibernation, and RAM's data and content are stored on the hard drive instead.
This data is automatically put and saved on a file called "hiberfil.sys", seconds before the power off for the hibernation process happens. So, when we get back to work from a Hibernation mode, everything we left open is still accessible.
While Sleep has its pros and cons, it might not be the most convenient and secure way to put your laptop on, especially when left unattended in public and crowded places such as an airport.
Hibernation gives us the pain of being slower than the Sleep mode; however, it is more secure than it, and this is our main concern and what we care about the most at Cool Tech.
The battery tends to be drained quickly, especially on extended hours of Sleep, and when this happens, it can leave room for dangerous things to occur. The laptop will shut down improperly, and this improper power off will make the device more vulnerable to this type of attack we mentioned earlier, called Cold Boot.
The section below will give us an insight into what this attack is and how it is performed.
Preventive Measures
Who is responsible?
Research from a Finnish Cyber Security company called F-Security related to this attack. It concluded that this was a real threat at the time, as most of the laptops tend to be vulnerable. As of 2022, modern laptops have remained vulnerable to this type of attack.
The protection from the cold boot attacks is not that much of a user's side responsibility as it is the Firmware's, even though specific small user behavior could be a game-changer.
It is up to Firmware to strengthen and extend the mitigation or preventive measures for the attack. Several solutions have been proposed to mitigate the risk, such as different propositions for encryption key storage; however, these measures do not promise to protect the whole set of the sensitive data, rather than reduce the chance of breaking the full disk encryption.
Steps to activate the Hibernation mode
The end-user can do their part by avoiding unnecessary sleep modes and considering Hibernation or complete Shutdown, along with using a Bitlocker PIN to prevent data access. As long as the encryption keys do not store on the volatile memory, the rest of the data is undoubtedly safer.
On some iOS, such as Windows 10, the Hibernation feature is not enabled by default. The good news is you can enhance the security of your device by enabling this option in just some easy steps, as shown below.
- Go to Control Panel and click on the "Hardware and Sound" Section:
2. Click on the green titled "Power Options":
3. On the Power Options, select "Choose what the power buttons do" of the left pane:
4. After making sure you have admin privileges, on Shut down settings, check the box of Hibernation and Save the changes as below:
Congratulation! This way, you just added an extra layer of security concerning the Cold Boots!
5. This extra step will automatically put your laptop on Hibernate mode after closing the laptop's lid. To do this, go back to the 3rd step and select "Choose what closing the lid does". Afterward, a set of options will be shown as below. It is recommended to select the Hibernate for both "On battery" and "Plugged in" options for more enhanced security, just as shown below:
Summary and conclusion
Cold Boot Attacks are still a genuine threat nowadays. Hackers tend to perform this attack, especially in crowded places such as an airport, to take advantage of the time your device is left unattended.
Firmware's responsibility is to correct the issue; however, small user behavior can help mitigate the risk of being hacked. These tips include: shutting down your laptop; using hibernation mode; using BitLocker; making sure on the device's mode when left unattended, etc.
It is important to remember that these attacks require skills, the right tools, and, most importantly, physical access. If you don't think you belong to the big phishes team, you are possibly already safe.
See more at the CoolTechZone!
