Danger on ice: Android info thaws in cold boot attack

Feb 18, 2013 by Nancy Owano report
Danger on ice: Android info thaws in cold boot attack

(Phys.org)—Can low temperatures yield access to information in the phone's memory? Researchers found that a "FROST" attack can unlock an Android's phone data. Their research findings discuss how hackers can freeze their way into a phone's sensitive data. Researchers at Erlangen University in Germany showed how their cold boot attack method was able to read information from a Samsung Galaxy Nexus running the latest version of Android.

They said the hack can be achieved even if the phone is protected by a PIN and with its storage disk encrypted. They said they chose the from Samsung because it was the first device with Android 4.0 and consequently it was the first Android-based smartphone with encryption support. Also, since it is an "official" phone, they added, it carries an official Android version from Google unmodified by the phone manufacturer. They said that Google releases are most amenable for in-depth security analysis.

In their paper, they wrote, "We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung."

Authors Tilo Mueller and Michael Spreitzenbarth of the Friedrich-Alexander University of Erlangen-Nuremberg discovered that Android's boot sequence enabled them to perform cold boot attacks, and they observed how valuable information can be retrieved from RAM. According to the researchers, such cold boot attacks can allow the retrieval of sensitive information such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked. By chilling the Galaxy , the researchers could bypass security settings and read from the phone's memory. The recovery tool FROST stands for Forensic Recovery of Scrambled Telephones.

In chilling the phone to freezing temperatures, the information lingered on in memory for five or six seconds, which was long enough to pull data out with a computer.

Mueller and Spreitzenbarth found they could read data that included images, e-mails and web browsing history.

Their research is not a first in explorations into cold-boot attacks, which were in evidence as early as 2008, shown on PCs. Their research, however, focused on mobile devices.

The authors referred to data remanence, where the computer RAM holds residual information briefly even after the computer is shut down. Mueller observed that in cooling the phone the contents are lost in five or six seconds, enough time to reboot the phone and access the memory. Rebooting a phone more often may leave less in its memory.

On the flip side, their research is not only a warning for users but may be helpful for forensic experts who attempt to recover data from a seized phone.

Explore further: Technology to help people with disabilities to learn and communicate

More information: www1.informatik.uni-erlangen.de/frost
www1.cs.fau.de/filepool/projects/frost/frost.pdf

Related Stories

Google working on phone with built-in payment tool

Nov 16, 2010

Google Inc. is taking another stab at designing a game-changing mobile phone, this time by including a built-in payment system that could eventually enable the devices to replace credit cards.

Recommended for you

BPG image format judged awesome versus JPEG

Dec 17, 2014

If these three letters could talk, BPG, they would say something like "Farewell, JPEG." Better Portable Graphics (BPG) is a new image format based on HEVC and supported by browsers with a small Javascript ...

Atari's 'E.T.' game joins Smithsonian collection

Dec 15, 2014

One of the "E.T." Atari game cartridges unearthed this year from a heap of garbage buried deep in the New Mexico desert has been added to the video game history collection at the Smithsonian.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

gwrede
5 / 5 (1) Feb 18, 2013
I experimented with my VIC-20 in the early eighties, and found out that its RAM retained all data very reliably if I pulled the power plug for less than a quarter of a second. I then used this for debugging.

Later I had a handy friend install a real Reset Button on it, which felt like real luxury.
PPihkala
5 / 5 (1) Feb 18, 2013
VIC-20 had static RAM (SRAM) while current memories are almost exclusively Dynamic RAM (DRAM). SRAM stores the information in the way the currents flow inside it, whereas DRAM stores the information into tiny capacitors. The charge in those capacitors discharges with time, so each one is refreshed at regular intervals while the memory is in use. The colder the memory the longer it takes to bleed the charge from it's cells. And that is exploited in these cold attacks. They could put sensitive info into SRAM, because that will lose it's state immediately when the current is interrupted. Of course they would need to put those memories into the devices first, before they could use this method.
antialias_physorg
1 / 5 (2) Feb 18, 2013
Yay for the guys from my alma mater.
baudrunner
3 / 5 (2) Feb 18, 2013
Looks like an oversight by the manufacturers. The issue of data remanence could be easily resolved by draining all the energy immediately during shutdown by adding an emitter-follower cascade circuit, much like those used in solid state refrigeration devices.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.