Danger on ice: Android info thaws in cold boot attack

Feb 18, 2013 by Nancy Owano report
Danger on ice: Android info thaws in cold boot attack

(Phys.org)—Can low temperatures yield access to information in the phone's memory? Researchers found that a "FROST" attack can unlock an Android's phone data. Their research findings discuss how hackers can freeze their way into a phone's sensitive data. Researchers at Erlangen University in Germany showed how their cold boot attack method was able to read information from a Samsung Galaxy Nexus running the latest version of Android.

They said the hack can be achieved even if the phone is protected by a PIN and with its storage disk encrypted. They said they chose the from Samsung because it was the first device with Android 4.0 and consequently it was the first Android-based smartphone with encryption support. Also, since it is an "official" phone, they added, it carries an official Android version from Google unmodified by the phone manufacturer. They said that Google releases are most amenable for in-depth security analysis.

In their paper, they wrote, "We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung."

Authors Tilo Mueller and Michael Spreitzenbarth of the Friedrich-Alexander University of Erlangen-Nuremberg discovered that Android's boot sequence enabled them to perform cold boot attacks, and they observed how valuable information can be retrieved from RAM. According to the researchers, such cold boot attacks can allow the retrieval of sensitive information such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked. By chilling the Galaxy , the researchers could bypass security settings and read from the phone's memory. The recovery tool FROST stands for Forensic Recovery of Scrambled Telephones.

In chilling the phone to freezing temperatures, the information lingered on in memory for five or six seconds, which was long enough to pull data out with a computer.

Mueller and Spreitzenbarth found they could read data that included images, e-mails and web browsing history.

Their research is not a first in explorations into cold-boot attacks, which were in evidence as early as 2008, shown on PCs. Their research, however, focused on mobile devices.

The authors referred to data remanence, where the computer RAM holds residual information briefly even after the computer is shut down. Mueller observed that in cooling the phone the contents are lost in five or six seconds, enough time to reboot the phone and access the memory. Rebooting a phone more often may leave less in its memory.

On the flip side, their research is not only a warning for users but may be helpful for forensic experts who attempt to recover data from a seized phone.

Explore further: Tecnalia designs an app to help elderly people get around on public transport

More information: www1.informatik.uni-erlangen.de/frost
www1.cs.fau.de/filepool/projects/frost/frost.pdf

Related Stories

Google working on phone with built-in payment tool

Nov 16, 2010

Google Inc. is taking another stab at designing a game-changing mobile phone, this time by including a built-in payment system that could eventually enable the devices to replace credit cards.

Recommended for you

Google worker shows early-draft glimpse of Chrome OS

Jul 20, 2014

The Chrome OS is in for a future look. Athena, a Chromium OS project, will bring forth the new Chrome OS user experience. Google's François Beaufort on Friday, referring to the screenshot he posted, said," ...

Google eyes Chrome on Windows laptop battery drain

Jul 19, 2014

Google Chrome on Microsoft Windows has been said to have a problem for some time but this week comes news that Google will give it the attention others think the problem quite deserves. Namely, Google is to ...

Mental-health monitoring goes mobile

Jul 16, 2014

Behavioral health analytics startup Ginger.io sees smartphones as "automated diaries" containing valuable insight into the mental well-being of people with mental illnesses.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

gwrede
5 / 5 (1) Feb 18, 2013
I experimented with my VIC-20 in the early eighties, and found out that its RAM retained all data very reliably if I pulled the power plug for less than a quarter of a second. I then used this for debugging.

Later I had a handy friend install a real Reset Button on it, which felt like real luxury.
PPihkala
5 / 5 (1) Feb 18, 2013
VIC-20 had static RAM (SRAM) while current memories are almost exclusively Dynamic RAM (DRAM). SRAM stores the information in the way the currents flow inside it, whereas DRAM stores the information into tiny capacitors. The charge in those capacitors discharges with time, so each one is refreshed at regular intervals while the memory is in use. The colder the memory the longer it takes to bleed the charge from it's cells. And that is exploited in these cold attacks. They could put sensitive info into SRAM, because that will lose it's state immediately when the current is interrupted. Of course they would need to put those memories into the devices first, before they could use this method.
antialias_physorg
1 / 5 (2) Feb 18, 2013
Yay for the guys from my alma mater.
baudrunner
3 / 5 (2) Feb 18, 2013
Looks like an oversight by the manufacturers. The issue of data remanence could be easily resolved by draining all the energy immediately during shutdown by adding an emitter-follower cascade circuit, much like those used in solid state refrigeration devices.