back to article Boffins FREEZE PHONES to crack Android on-device crypto

Computer scientists at the Friedrich-Alexander University of Erlangen-Nuremberg, Germany (FAU) have demonstrated that it is possible for unauthorized parties to recover data from encrypted Android smartphones using cold boot attacks. And when they say cold, they mean it – below 10°C, to be precise. Android has included built- …

COMMENTS

This topic is closed for new posts.
  1. Jim McDonald
    Coat

    cool!

    *groan*

    1. Euripides Pants
      Unhappy

      Damn!

      Beat me to it.

    2. Adam 1

      ha

      Icy what you did there.

  2. Shades

    Actually looking forward...

    ...to Eadons comment on this! ;D

    1. GBL Initialiser
      Joke

      Re: Actually looking forward...

      "Close Windows so it doesn't get so cold" maybe?

  3. GBL Initialiser

    "It's so cold in here I'm freezing my AES off"

  4. Anonymous Coward
    Coat

    Forgotten your pin?

    Just chill.

  5. This post has been deleted by its author

  6. Bush_rat
    Trollface

    Does it only work with ICE-cream sandwich?

    1. I think so I am?
      Facepalm

      ICE cream is always better cold

  7. nigel 15

    if the phone is on and the ecryption key in ram

    why the need to dick about?

    1. Anonymous Coward
      Anonymous Coward

      Re: if the phone is on and the ecryption key in ram

      Because the OS does not allow you to read that information from RAM, so they need to start another OS (the frosty one) that does allow it, without losing the information available in RAM.

      1. Gerhard den Hollander

        Re: if the phone is on and the ecryption key in ram

        ... or the phone could be locked or ....

    2. dssf

      Re: if the phone is on and the ecryption key in ram

      Well, probably because it all sounded so.... "kewlllll".

      But, I thought this would be more like a "chill, peel", as in freezing the phone, and then peeling back the layers of an encryption chip or component. Interesting article... Umm, I meant "kewl" article...

  8. John H Woods Silver badge

    capacitor-based overwrite

    I've always wondered why devices don't include capacitors that can power them down sensibly in the few seconds after power failure. We were always warned about suddenly depowering HDDs, but I never understood why they couldn't contain a component holding enough charge to flush the cache and park the head. And in this case, a small capacitor on the mainboard, or in the RAM module, could zero the volatile memory in a few seconds.

    1. Keith 21
      FAIL

      Re: capacitor-based overwrite

      What size of capacitor do you think would be required?

      Let's take a typical mobile phone.

      Battery supplies 3.5V.

      Phone draws (very roughly) 0.125A

      If you want to keep the phone alive for 2 seconds to allow an orderly shutdown (which, for some phones, is WAY too short a time - try it!) then the size of capacitor you need is

      Capacitor = (0.125 * 2) / 3.5

      = 0.071F

      (It's actually way more than that because after 2 seconds the capacitor would be empty, but let's go with this figure for now).

      So, that's a 71mF capacitor (or a 71,000uF capacitor, given the a re usually specified in uF or pF).

      You might get away with 2 x 47,000uF capacitors in parallel.

      And you want to fit that inside your mobile phone?

      Good luck cramming those 2 capacitors, each 3cm in diameter and 5cm in length, into your tiny phone, John!

      1. Anonymous Coward
        Anonymous Coward

        Re: capacitor-based overwrite

        Actually super capacitors are pretty common place these days. You can get Farad range caps no problems. If youb want to go to the extreme then look no further than KERRS in F1 cars - they use capacitors to store electricity, and they get 80hp out of them.

        I remember seeing a pocket radio that had a supercap instead of a battery. If they keep improving them then we may end up using supercaps instead of batteries in phones too.

        1. bazza Silver badge

          Re: capacitor-based overwrite

          Indeed. Take a look at RS's website:

          http://uk.rs-online.com/web/p/electric-double-layer-capacitors/7116985/

          1. Keith 21
            FAIL

            Re: capacitor-based overwrite

            And good luck fitting 2 or more of THOSE into your slim smartphone...

        2. dssf

          Re: capacitor-based overwrite

          Is there any utility capability in these batteries for Boeing? Sounds like Boeing could string a dozen or so of these along the lower bay and have them power all sorts of things... Maybe they coud even be under a membrane on the skin of the fuselage so if they cause problems, just do a fly-by-wire yank and jettison the cap. Or, if it is not self-fueling, self-consuming, just kill the wire feeds.

      2. t.est

        Re: capacitor-based overwrite

        Well the idea is not bad, if the capacitors would sitt in ram, it would be easy to manufacture ram that on power-cut would zero it's own content memory. No need to power up the whole phone for that task.

        And if you don't want to build that feature into the ram chips, then make a small battery that can do it. However the zeroing of the ram chips should not be a OS feature.

        If you want to be completely secure you build this as a hardware feature onto the ram chips.

        1. Anonymous Coward
          Anonymous Coward

          Re: capacitor-based overwrite

          You don't need enough power to run the device, only enough power to zero the RAM.

          The case should have a tamper switch that would trigger it.

          In software you could also define other triggers such as extreme temperature (and provide override functionality if desired).

    2. Jason Bloomberg Silver badge

      Re: capacitor-based overwrite

      All that is probably needed to stop that working is a little more sophistication than 'whipping the battery out and in as quick as possible'. Just holding the CPU in reset or even shorting the power rail to 0V as the supply is pulled will discharge the capacitor and stop the CPU from doing the zeroing of memory.

      It adds an extra layer of protection that needs defeating but won't make a phone secure against attack. And if an attacker is after the information (rather than just fishing) they will probably be prepared to put that effort in. In fact there are almost certainly other ways to attack the phone and get a memory dump without having to freeze it so, while it's a novel attack vector, it's far from the only one.

      1. eldakka

        Re: capacitor-based overwrite

        The zeroing of RAM wouldn't be the CPUs responsibility.

        It should be lower level than that. Ideally it'd be on the RAM packaging itself, or directly on the memory bus.

    3. Daniel B.
      Boffin

      Re: capacitor-based overwrite

      IIRC higher security devices like HSMs do have something like this implemented. It doesn't just activate on power-down, it will also be triggered if someone opens the box; that's why those devices have a higher FIPS 140-2 cert than regular mobile devices.

      But then HSMs are 1U rack devices, not sure if that mechanism is small enough to fit inside a phone...

    4. Anonymous Coward
      Anonymous Coward

      Small capacitors exist

      Intel 320 SSDs include six 470µF capacitors to write the contents of RAM to flash (unwritten user data isn't stored in RAM, but the FTL maps are) They have pretty much the same size/volume as a mobile phone, so if they fit in the SSD they can fit in a phone.

      However, you don't need to do that. Just have a really tiny built in battery alongside the main removable (well in most, but not all Android phones) battery. So that if the main battery drains or is removed there is still the tiny secondary battery to do whatever is necessary for a clean shutdown.

      Best of all, always zero out the RAM first thing in the boot process. I assume Android probably does this, but the use of the "fast boot" probably skips that step. Don't skip that step and make your fast boot a little slower, and this attack will be thwarted.

      Of course, anyone who has your phone in their possession can freeze it and disassemble it to remove the RAM chips and read them. Not exactly a "do at home" task, so while this wouldn't allow a jealous husband to read his wife's texts, it would allow a corporate spy to snag the competition's secrets.

      Unless a phone is built to be tamper proof, which AFAIK no consumer phones are, the RAM removal attack will work for any OS - assuming you can figure out where in RAM the encryption key is kept. That will be easier on Android since you have source than it would be on closed source operating systems like iOS, WP8 or BB. But once you find it, it will presumably be simple to find again on other phones of the same make. ASLR may mean the high bits are different every time, but it will be in the same location on the page each time with the same stuff around it.

      1. Michael Wojcik Silver badge

        Re: Small capacitors exist

        Of course, anyone who has your phone in their possession can freeze it and disassemble it to remove the RAM chips and read them. Not exactly a "do at home" task, so while this wouldn't allow a jealous husband to read his wife's texts, it would allow a corporate spy to snag the competition's secrets.

        I don't know - disassembling a phone could well be an at-home task for many folks. I've never tried taking apart a modern smartphone, but I've done plenty of workbench PCB mods on consumer devices in my day. Phones are smaller, with smaller feature sizes and surface-mount components and other complications, but I don't see why you couldn't have the necessary equipment at home. Nothing excessively expensive, bulky, power-consuming, sensitive, etc is required, as far as I can tell.

        That said, though, changing the phone design so that the attack is difficult to mount without disassembly does increase the work factor significantly, and it removes the currently-plausible scenario of an undetected attack - where the attacker steals the phone, gains access, copies data and/or installs malware, and returns the phone with the victim none the wiser.

    5. Muhammad Imran/mi1400
      Thumb Up

      Re: capacitor-based overwrite

      you are right... and this is how govt agencies survive... move your sight across other similar things not being improved.

      Fake passports: there can be 101 ways to further improve but it will stop CIA and like to move around a litle more difficultly.

      Nikon D4s: no wehere to be seen yet cuz at 204,8000 ISO .... U.S night visions companies will start to starve.

    6. Suricou Raven

      Re: capacitor-based overwrite

      That would complicate the process, but there would be other ways to ensure abrubt powerdown and reset. Open case and short pins, perhaps. Or magnetic pulse - I've done that to a mobile before while using it to film a can-crusher I built.

    7. Anonymous Coward
      Anonymous Coward

      Re: capacitor-based overwrite

      Or don't store the keys in the DRAM.

      Sacrificing some register space (of which an ARM has plenty) would be one way to mitigate this sort of thing.

  9. Anonymous Coward
    Anonymous Coward

    "Why don't business use Android instead of Blackberry or iOS devices"......

    Now you know why. That said, Blackberry devices are more secure the iOS, but BB10 is an unknown quantity.

    1. Anonymous Coward
      Anonymous Coward

      Are you for real?

      Do you even vaguely know how badly broken ios and blackberry security is?

      1. Daniel B.
        Boffin

        Re: Are you for real?

        iOS is broken, indeed.

        But Blackberry (both OSen) actually have FIPS 140-2 certifications, something that none of the other OSen have achieved, not even Winbugs Phone 7/8.

        FWIW I have never even seen BB jailbreaks being available...

        1. Mookster
          FAIL

          Re: Are you for real?

          Which goes to show how laughable FIPs is.

          There's very little protection on BB from malicious apps. For instance apps can even inject keypresses. So, one bad app and "all your data are ours". The only reason that BB is used safely, is that they tend to be locked down by the company IT department.

          -Mook

          1. Daniel B.
            Boffin

            Re: Are you for real? @Mookster

            "There's very little protection on BB from malicious apps. For instance apps can even inject keypresses."

            All those actions require the permissions to do so being granted by the user. You can actually block apps from doing such things by setting an explicit Deny on those ops, having a granular security model allows BB to do that.

            iOS, as far as I remember, *doesn't* have that granular security, thus the iMob (?) apps were able to grab personal info and send it to the devs. Android might have those safeguards, being based on lookalike-Java; BB has that security model because of Java. I do wonder if they kept it for BB10, though...

        2. Suricou Raven

          Re: Are you for real?

          Does anyone *want* a BB jailbreak?

        3. TheVogon

          Re: Are you for real?

          FYI - Windows Phone 8 is designed to be FIPS 140-2 compliant and uis currently undergoing certification.

      2. t.est

        Re: Are you for real?

        Well less broken than android security.

        That doesn't mean iOS or Blackberry would be secure.

    2. Anonymous Coward
      Anonymous Coward

      And this same attack vector

      wouldn't work on Blackberry or iOS devices because...?

      1. Andy ORourke
        Happy

        Re: And this same attack vector

        you ever tried taking out a battery on an iPhone, quickly or otherwise?

  10. leon stok
    Thumb Down

    Cold Boot Attack ?

    So somebody repeated the cold boot attack from 5 years ago on a mobile phone?

    http://www.engadget.com/2008/02/21/cold-boot-disk-encryption-attack-is-shockingly-effective/

    1. Michael Wojcik Silver badge

      Re: Cold Boot Attack ?

      So somebody repeated the cold boot attack from 5 years ago on a mobile phone?

      Yes. What's interesting here is:

      - Demonstrating it on a mobile phone

      - The fact that mobile phones are, er, mobile, which makes it easier to grab a phone and carry the attack out at your leisure (and makes it easier to fit in your freezer, for that matter)

      - The FROST software, which goes a long way to automating the attack; this is nearly at script-kiddie level of simplicity

      This is how security research works. When Matsui invented linear cryptanalysis and demonstrated it against DES, everyone didn't just say "oh, that's nice", and then forget about it. They tried attacking other block ciphers with LC. When AlephOne wrote "Smashing the stack for fun and profit", people went out and conducted a whole bunch of stack-smashing attacks to see what was vulnerable and refine the technique. Just because an idea's been published once doesn't mean there's no benefit in extending it to another target.

  11. Paul Shirley

    will be easy to neuter but not for existing phones

    If future bootloader versions randomise RAM on startup this exploit vanishes. Won't help current devices though.

    I've always said, if they get physical possession of the device assume your data can be read. This is just one way to do it without dismantling the phone. Does appear that drive encryption is still effective with the default locked bootloader. Unlock it and you should know the device is compromised, you unlock to hack them after all.

    1. Anonymous Coward
      Anonymous Coward

      Re: will be easy to neuter but not for existing phones

      Won't the memory map need to be in memory to access the randomized memory?

      1. Paul Shirley

        Re: will be easy to neuter but not for existing phones

        The bootloader has write access to RAM and the mapping hardware or it couldn't load anything. Trivial to overwrite RAM from it.

  12. John Smith 19 Gold badge
    Coat

    Clearly this sheds a Muller light on you Android phone data.

    I'll just get my heavily insulated coat for a trip to the freezer.

  13. Firmware Flush

    Firmware Flush

    Its usually common practice to reset the device in to a known state, forcing all registers to default values. Surprised they didn't flush the RAM with zeros in firmware when powered on.

    Soruce: I work as an embedded engineer and design ASIC/FPGA switching fabrics

  14. Pondule

    designed to extract encrypted data from RAM

    Is the data encrypted in RAM as well as in flash or should that read "encryption data"?

  15. Russ Tarbox
    Thumb Up

    I remember seeing the effects of remanence on older graphics cards.

    Booting Windows 98 you'd sometimes see a flash of your desktop before restart when the screen mode changed for the bootup screen.

  16. CJatCTi
    FAIL

    Only for rooted phones

    Before you can load a custom recovery your phone has to be rooted. A lot of phones can't be routed, others like HTC only let you root it once it's defaulted the phone.

    So what % of phones have a data worth getting & are rooted?

  17. Anonymous Coward
    Holmes

    If they go to all this trouble, why use the battery instead of at the most basic level, stripping a USB cable and sticking the ends to the phone battery terminal so save the quick swap. That way you could automate the process for non techincal users.

  18. Will Godfrey Silver badge

    I think the only reasonable way to deal with this is to change the nature of the RAM itself so when the supply voltage drops below a certain threshold all cells are zeroed. This might be done by making a normally negative substrate go to the (decaying) positive rail. It would only have to remain there for a few nanoseconds which could be engineered by some quite small internal caps - that's what the cells are basically anyway.

    Whether the benefits would outweigh the costs is left as an exercise for the students :)

  19. Anonymous Coward
    Anonymous Coward

    as opposed to hardware man in the middle?

  20. karma mechanic

    Chilling it all the way down to 10 degrees C?

    Perhaps a minus sign has escaped somewhere.

    1. NukEvil

      Probably disappeared when the RAM degraded...

    2. david 12 Silver badge

      Perhaps a minus sign has escaped somewhere.

      I thought so too, but reading the references makes it clear that this really is a room-temperature demonstration. At 10C they've got a second or two to read the ram, and that's all they need.

      That said, it's clear that this only affects people who are actually using encryption for some valuable reason, ie 0.0% of all users.

      1. karma mechanic

        Re: Perhaps a minus sign has escaped somewhere.

        I'm still puzzled. From their own instructions:

        5) Let the phone inside a -15 degree Celsius freezer for about 60 minutes.

        6) After an hour, the phone temperature should be below 10 degree.

        Yes, I'd expect a frozen frosticle after an hour.

        But then they show a thermometer with a reading of 8 degrees...

        1. Anonymous Coward
          Anonymous Coward

          Re: Cooling rate

          I think that would be because the phone is running at the time.

          They only pull the battery after it's cooled down. The device has to be cold for the technique to work, you see.

  21. boatman

    Very interesting but somewhat redundant?

    Most phones are secured with a 4 character pin that usually consists numbers would make brute force a much more promising approach.

    1. Suricou Raven

      Re: Very interesting but somewhat redundant?

      They'll lock the phone completely for some time after a number of failed attempts. Trying it via the usual entry means would work, eventually, but take a lot of time. You'd need to make something like a little robot that could operate the touchscreen.

      1. t.est

        Re: Very interesting but somewhat redundant?

        on iOS full wipe at 10th fail.

  22. Comments are attributed to your handle
    Meh

    This is no more notable than any other documented cold boot attack.

  23. Steven Davison

    Re: Perhaps a minus sign has escaped somewhere.

    If the device has been running a while, it's likely its internal temperature is a fair deal higher than room temp, which might account for the hour to chill it down... i guess...

This topic is closed for new posts.

Other stories you might like