Frozen ice cream sandwich coughs up crypto keys

Powered by SC Magazine
 

User data nabbed.

View larger image View larger image View larger image

See all pictures here »

Researchers have cracked encrypted user data on an Android phone by placing the device in a freezer to preserve RAM.

In doing so, they demonstrated that Android's implementation of full disk encryption, introduced in version 4 (Ice Cream Sandwich), was vulnerable to so-called cold boot attacks.

The attacks have been known for years but have not been applied to Android, the researchers said. 

To demonstrate the vulnerability, a rooted - or modified - Samsung Galaxy Nexus phone was placed in a freezer and cooled to minus 15C, a temperature which extends the decay of RAM.

The battery was then ejected and reinserted in less than a second, which was fast enough to reboot the phone while keeping RAM intact.

The phone was rebooted into the Android bootloader, where the FROST (forensic recovery of scrambled telephones) tool could be loaded.

"According to our results about the remanence effect, we can reboot a smartphone quickly while preserving a significant amount of RAM contents," the Erlangen University researchers wrote in a paper (pdf).

"Roughly speaking, we analyse the characteristics of the remanence effect on smartphones, prove that Android's boot sequence enable us to perform cold boot attacks, and show that valuable information can be retrieved from RAM."

The side channel attacks could be helpful to forensics professionals faced with encrypted phones.

"...Scrambled phones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than brute force is lost to recover data."

Previous thought suggested cold-booting could preserve RAM for about 30 seconds, but the researchers found half of the available memory decayed within about six seconds at that temperature.

The encryption could be busted on only devices with open bootloaders, a feature made popular in rooted custom devices. Stock phones typically do not have open bootloaders however HTC has warmed to the process and offered assistance to users wanting to modify their devices.

But attackers could still swipe contacts, photos and emails from devices with locked bootloaders.

"After rebooting a Galaxy Nexus device, unlocking its bootloader, and booting up our recovery tool, we were still able to recover much sensitive information. Among others, we recovered emails, photos, contacts, calendar entries, WiFi credentials, and even the disk encryption key," the researchers said.

The researchers also provided tools to take forensic images of encrypted data or use brute force attacks against phone PINs.

Download the tools from the Univeristy's website.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Five emerging technologies that will transform financial services
[Blog post] Far out ideas that aren't far off.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  27%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  23%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 924

Vote