How your laptop can be hacked at the Airport
It is commonly and generally an inevitable part of human nature to underrate the overall security measures related to the technological devices we own.
As there is a hacker attacking every 39 seconds, the chances are you might as well get hacked and re-think of your laptop’s security.
Here’s a real scenario. Did you finish up the work on your laptop while you were waiting for your gate at the airport to be opened? I bet you do not remember the state of your laptop when you closed the lid to rush up to the que, or get to the security screening, as of course; you don’t really want to miss the flight.
If the answer is that you put it on the Sleep Mode, then embrace yourself because some nightmares are about to come!
Table of Contents
Cold boot attacks are nothing new for the malicious intended ones and have been around since 2008. Maybe earlier than that. These types of side channel attacks take advantage of the improper power off-s of the laptops which can potentially cause harm to you and your laptop.
This is no legitimate forensics, but through these attacks, all kinds of information including passwords and credentials (check our 25 best password managers), encryption keys or any sensitive data stored are at risk.
Let’s start off with the RAM. Regardless of what we have been taught, this memory still has the power to hold the data for some seconds after the laptop is switched off, due to the lack of electricity supply or improper shut down.
These are valuable seconds for a malicious intended though, as with the right tools, this is the time they perform the Cold Boot attack.
A simple infogram of the steps required to perform a successful cold boot attack is shown below:
- During the first phase, the attackers have your laptop in their hands, taking advantage of the unattendance.
- Then, they use the trick of spraying a substance (possibly Nitrogen Liquid), which will lower the RAM’s temperature and extend its time for holding the data. After that, BIOS changes are made, so the boot from the external device, that commonly being a USB stick, is possible.
- During the third phase, the bootable USB is inserted. Inside of it, there is a lightweight Operation system installed, which uses autorun files to quickly proceed. The computer is cold booted forcibly (as the power switch is pressed), the processor does not have time to dismount encryption keys, and since the BIOS settings are changed, the USB’s OS is quickly loaded.
- On the last phase, the OS’s processes of the USB are quickly autorun. Their main purpose is to extract all the data they could find stored on the RAM.
This real attack scenario, could potentially happen anywhere as long as you laptop remains unattained for some amount of time. Airport screening is one of these perfect scenarios, leaving room for this attack, as it is one of the few places we are actually demanded to stay away from our laptop for security checks.
It requires so little effort to put our laptop on Sleep Mode and get back to our files later easily. Basically, we just need to close the lid (on most laptops) and this mode will be activated. We are used to this method, as its benefits makes our Windows works faster and easier especially when being in public places, such as an airport.
But what actually happens during this mode?
During Sleep, every data and application that was accessed on power time, is temporary paused but certainly not gone.
An easy and instant access to these applications is possible during the Wake or power on time of the laptop, while getting back to work, as all this data is automatically stored on the volatile memory we call RAM, or the Random Access Memory. So, in short words, we get back to the work we put on pause very quick, needing just a simple click on a button.
It is common for some people to mess up the modes the laptop can be put on. Sometimes you might want to activate the “Hibernation”, while mistakenly select the Sleep Mode, thinking they have no big differences in between.
There are huge differences between the Sleep and Hibernation mode, selection of which could be either a protection measure or make your device more vulnerable to certain types of attacks. One of these could be the Cold Boot attack, for which we will discuss later on.
On Sleep Mode, everything is shut down except the RAM, which is temporary storing the data we were just working on. Meanwhile, during the hibernation everything including the RAM is powered off, and RAM’s data and content is stored on the hard drive instead.
This data is automatically put and saved on a file called “hiberfil.sys”, seconds before the power off for the hibernation process happens. So, when we get back to work from a Hibernation mode, everything we left open is still accessible.
While the Sleep has its own pros and cons, it might not be the most convenient and secure way to put your laptop on, especially when left unattended on public and crowded places such as an airport.
Hibernation gives us the pain of being slower than the Sleep mode, however it is more secure than it, and this is our main concern and what we care about the most at Cool Tech.
The battery tends to be drained in a very quick way, especially on extended hours of sleep, and when this happens, it can leave room for dangerous things to occur. The laptop will shut down improperly, and this improper power off is what will make the device more vulnerable to this type of attack we mentioned earlier, called Cold Boot.
The section below will give us an insight of what this attack is and how it is performed.
A research from a Finnish Cyber Security company called F-Security was carried related to this attack, and it concluded that this is a very real threat at the time, as most of the laptops tend to be vulnerable. As of 2022, modern laptops have still remained vulnerable to this type of attack.
The protection from the cold boot attacks is not that much of a user’s side responsibility as it is the Firmware’s, even though specific small user behaviour could be a game changer.
It is up to Firmware to strengthen and extend the mitigation or preventive measures for the attack. Several solutions have been proposed to mitigate the risk, such as different propositions for encryption key storage, however these measures do not promise to protect the whole set of the sensitive data, rather than reduce the chance of breaking the full disk encryption.
The end user can do his/her part by avoiding unnecessary sleep modes and considering Hibernation or complete Shut Down, along with the use of a Bitlocker PIN to prevent data access. As long as the encryption keys do not store on the volatile memory, the rest of the data is certainly safer.
On some iOS such as Windows 10, the Hibernation feature is not enabled by default. The good news is you can enhance the security of your device by enabling this option in just some easy steps as shown below.
- Go to Control Panel and click on the “Hardware and Sound” Section:
- Click on the green titled “Power Options”:
- On the Power Options, select “Choose what the power buttons do” of the left pane:
- After making sure you have admin privileges, on Shut down settings check the box of Hibernation and Save the changes as below:
Congratulation! This way you just added an extra layer of security concerning the Cold Boots!
- This extra step will automatically put your laptop on Hibernate mode after closing the laptop’s lid. To do this, simply go back to the 3rd step and select “Choose what closing the lid does”. Afterwards, a set of options will be shown as below. It is recommended to select the Hibernate for both “On battery” and “Plugged in” options for a more enhanced security just as shown below:
Cold Boot attacks are still a very real threat nowadays. Hackers tend to perform this attack especially in crowded places such as an airport, to take advantage of the time your device is left unattended.
It is the responsibility of the firmware to correct the issue, however small user behaviour can help mitigate the rick of being hacked. These tips include: shutting down your laptop; using hibernation mode; using BitLocker; making sure on the device’s mode when left unattended, etc.
It is important to remember that these types of attacks require skills, the right tools and most importantly physical access. If you don’t think you belong to the big phishes team, you are possibly already safe.