Danger on ice: Android info thaws in cold boot attack

Feb 18, 2013 by Nancy Owano report
Danger on ice: Android info thaws in cold boot attack

(Phys.org)—Can low temperatures yield access to information in the phone's memory? Researchers found that a "FROST" attack can unlock an Android's phone data. Their research findings discuss how hackers can freeze their way into a phone's sensitive data. Researchers at Erlangen University in Germany showed how their cold boot attack method was able to read information from a Samsung Galaxy Nexus running the latest version of Android.

They said the hack can be achieved even if the phone is protected by a PIN and with its storage disk encrypted. They said they chose the from Samsung because it was the first device with Android 4.0 and consequently it was the first Android-based smartphone with encryption support. Also, since it is an "official" phone, they added, it carries an official Android version from Google unmodified by the phone manufacturer. They said that Google releases are most amenable for in-depth security analysis.

In their paper, they wrote, "We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung."

Authors Tilo Mueller and Michael Spreitzenbarth of the Friedrich-Alexander University of Erlangen-Nuremberg discovered that Android's boot sequence enabled them to perform cold boot attacks, and they observed how valuable information can be retrieved from RAM. According to the researchers, such cold boot attacks can allow the retrieval of sensitive information such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked. By chilling the Galaxy , the researchers could bypass security settings and read from the phone's memory. The recovery tool FROST stands for Forensic Recovery of Scrambled Telephones.

In chilling the phone to freezing temperatures, the information lingered on in memory for five or six seconds, which was long enough to pull data out with a computer.

Mueller and Spreitzenbarth found they could read data that included images, e-mails and web browsing history.

Their research is not a first in explorations into cold-boot attacks, which were in evidence as early as 2008, shown on PCs. Their research, however, focused on mobile devices.

The authors referred to data remanence, where the computer RAM holds residual information briefly even after the computer is shut down. Mueller observed that in cooling the phone the contents are lost in five or six seconds, enough time to reboot the phone and access the memory. Rebooting a phone more often may leave less in its memory.

On the flip side, their research is not only a warning for users but may be helpful for forensic experts who attempt to recover data from a seized phone.

Explore further: PAX Prime gaming convention kicks off in Seattle

More information: www1.informatik.uni-erlangen.de/frost
www1.cs.fau.de/filepool/projects/frost/frost.pdf

Related Stories

Google working on phone with built-in payment tool

Nov 16, 2010

Google Inc. is taking another stab at designing a game-changing mobile phone, this time by including a built-in payment system that could eventually enable the devices to replace credit cards.

Recommended for you

Watching others play video games is the new spectator sport

23 hours ago

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

SHORE facial analysis spots emotions on Google Glass

Aug 28, 2014

One of the key concerns about facial recognition software has been over privacy. The very idea of having tracking mechanisms as part of an Internet-connected wearable would be likely to upset many privacy ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

gwrede
5 / 5 (1) Feb 18, 2013
I experimented with my VIC-20 in the early eighties, and found out that its RAM retained all data very reliably if I pulled the power plug for less than a quarter of a second. I then used this for debugging.

Later I had a handy friend install a real Reset Button on it, which felt like real luxury.
PPihkala
5 / 5 (1) Feb 18, 2013
VIC-20 had static RAM (SRAM) while current memories are almost exclusively Dynamic RAM (DRAM). SRAM stores the information in the way the currents flow inside it, whereas DRAM stores the information into tiny capacitors. The charge in those capacitors discharges with time, so each one is refreshed at regular intervals while the memory is in use. The colder the memory the longer it takes to bleed the charge from it's cells. And that is exploited in these cold attacks. They could put sensitive info into SRAM, because that will lose it's state immediately when the current is interrupted. Of course they would need to put those memories into the devices first, before they could use this method.
antialias_physorg
1 / 5 (2) Feb 18, 2013
Yay for the guys from my alma mater.
baudrunner
3 / 5 (2) Feb 18, 2013
Looks like an oversight by the manufacturers. The issue of data remanence could be easily resolved by draining all the energy immediately during shutdown by adding an emitter-follower cascade circuit, much like those used in solid state refrigeration devices.