For many of us, shutting our laptops after a tough day in the office is a satisfying feeling that signals the end of work until tomorrow. But what we don’t realise is that simply shutting the lid and putting the laptop into sleep mode can leave it much more vulnerable to cyber-attacks than we might think. This is because sleep mode (S3) on most laptops is little more than a low power mode designed to save battery life. As a result, when S3’s engaged, the laptop’s drive and other hardware power off, but its memory remains active, ready to spring back to life as soon as the user opens the lid back up or hits the power button. Convenient? Yes. Secure? No.
In the case of secure laptops running Full Drive Encryption (FDE), this suspended memory includes the DEK (Data Encryption Key) or with Self-Encrypting Drives (SED), the very credentials required to unlock the drive. Keeping sensitive information like this in such an accessible place leaves the whole laptop vulnerable to breach.
For an attacker fortunate enough to discover a laptop in this state, there are a variety of techniques that can be successfully deployed to retrieve the DEK and other sensitive information directly from the memory. This includes a cold boot attack, which takes advantage of the fact that RAM retains the memory stored in it for a few seconds after the laptop has been switched off. In a cold boot attack, compressed air (or in some case, liquid nitrogen) is used to rapidly cool the laptop’s RAM as soon as it is powered off. This is done because temperature is proportional to the rate of charge decay or leakage in capacitors, so reducing the temperature of the RAM significantly increases the amount of time the data in it is retained, from a few seconds to minutes or even hours. Once cooled, the system can be booted back up with a USB operating system to read and store the bit sequence from the RAM. Alternatively, the RAM can be inserted into another motherboard, where the data can be fully retrieved.
Memory attacks aren’t the only threat either. Once a laptop with FDE is booted into Windows and the drive has been unlocked, only the laptop’s OS login security stands between an attacker and a breach. OS security is significantly less robust than FDE, so users are putting all their faith in one, very perilous, basket. Most laptops that feature FDE have it for a reason. They are typically high risk, or contain sensitive information that requires elevated levels of protection, which makes it even more unforgiveable to not make full use of the security FDE provides.
As these examples illustrate, sleep mode may be convenient, but it also has serious security issues with both hardware and software encryption. Fortunately, most laptops feature a readily available alternative to sleep that almost completely counteracts these flaws; hibernation mode (S4). Many people wonder if hibernation is better than sleep and when it comes to computer security, the answer is emphatically, yes. As opposed to sleep mode, which simply suspends the computer and memory in its current state, when a laptop goes into hibernation mode the entire memory contents is written to the drive before power to the computer is removed and its RAM contents fades away. With FDE or SED software in place, the hibernation file is also fully encrypted and with pre-boot authentication enabled (which it always should be), hibernation puts the laptop into a fully secure state that is significantly harder to compromise.
But what about the convenience factor of sleep mode? It’s true that in the past a laptop in hibernation would take a lot longer to wake when compared to one in sleep mode. However, the growing proliferation of Solid State Drives (SSDs) and improved OS software has had a significant impact on this to the point where just a handful of seconds tends to separate laptops waking from sleep and hibernation now.
A simple experiment on a typical work laptop (Windows 10, 8 GB, i5 laptop, Opal-SED-SATA-SSD) helps to illustrate this point. When powered down into sleep mode, the laptop took 11 seconds to fully wake, including the time taken to enter the OS password. In comparison, the same laptop took 46 seconds to get to the same point from hibernation, including the time taken to enter both the pre-boot FDE authentication password and the OS password.
As such, the true time difference between sleep and hibernation on a typical laptop is just 35 seconds, but as this article has shown, the security difference between the two is huge. Don’t you think those 35 seconds are worth it?