Frozen ice cream sandwich coughs up crypto keys

Powered by SC Magazine
 

User data nabbed.

View larger image View larger image View larger image

See all pictures here »

Researchers have cracked encrypted user data on an Android phone by placing the device in a freezer to preserve RAM.

In doing so, they demonstrated that Android's implementation of full disk encryption, introduced in version 4 (Ice Cream Sandwich), was vulnerable to so-called cold boot attacks.

The attacks have been known for years but have not been applied to Android, the researchers said. 

To demonstrate the vulnerability, a rooted - or modified - Samsung Galaxy Nexus phone was placed in a freezer and cooled to minus 15C, a temperature which extends the decay of RAM.

The battery was then ejected and reinserted in less than a second, which was fast enough to reboot the phone while keeping RAM intact.

The phone was rebooted into the Android bootloader, where the FROST (forensic recovery of scrambled telephones) tool could be loaded.

"According to our results about the remanence effect, we can reboot a smartphone quickly while preserving a significant amount of RAM contents," the Erlangen University researchers wrote in a paper (pdf).

"Roughly speaking, we analyse the characteristics of the remanence effect on smartphones, prove that Android's boot sequence enable us to perform cold boot attacks, and show that valuable information can be retrieved from RAM."

The side channel attacks could be helpful to forensics professionals faced with encrypted phones.

"...Scrambled phones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than brute force is lost to recover data."

Previous thought suggested cold-booting could preserve RAM for about 30 seconds, but the researchers found half of the available memory decayed within about six seconds at that temperature.

The encryption could be busted on only devices with open bootloaders, a feature made popular in rooted custom devices. Stock phones typically do not have open bootloaders however HTC has warmed to the process and offered assistance to users wanting to modify their devices.

But attackers could still swipe contacts, photos and emails from devices with locked bootloaders.

"After rebooting a Galaxy Nexus device, unlocking its bootloader, and booting up our recovery tool, we were still able to recover much sensitive information. Among others, we recovered emails, photos, contacts, calendar entries, WiFi credentials, and even the disk encryption key," the researchers said.

The researchers also provided tools to take forensic images of encrypted data or use brute force attacks against phone PINs.

Download the tools from the Univeristy's website.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 893

Vote