
cool!
*groan*
Computer scientists at the Friedrich-Alexander University of Erlangen-Nuremberg, Germany (FAU) have demonstrated that it is possible for unauthorized parties to recover data from encrypted Android smartphones using cold boot attacks. And when they say cold, they mean it – below 10°C, to be precise. Android has included built- …
This post has been deleted by its author
Well, probably because it all sounded so.... "kewlllll".
But, I thought this would be more like a "chill, peel", as in freezing the phone, and then peeling back the layers of an encryption chip or component. Interesting article... Umm, I meant "kewl" article...
I've always wondered why devices don't include capacitors that can power them down sensibly in the few seconds after power failure. We were always warned about suddenly depowering HDDs, but I never understood why they couldn't contain a component holding enough charge to flush the cache and park the head. And in this case, a small capacitor on the mainboard, or in the RAM module, could zero the volatile memory in a few seconds.
What size of capacitor do you think would be required?
Let's take a typical mobile phone.
Battery supplies 3.5V.
Phone draws (very roughly) 0.125A
If you want to keep the phone alive for 2 seconds to allow an orderly shutdown (which, for some phones, is WAY too short a time - try it!) then the size of capacitor you need is
Capacitor = (0.125 * 2) / 3.5
= 0.071F
(It's actually way more than that because after 2 seconds the capacitor would be empty, but let's go with this figure for now).
So, that's a 71mF capacitor (or a 71,000uF capacitor, given the a re usually specified in uF or pF).
You might get away with 2 x 47,000uF capacitors in parallel.
And you want to fit that inside your mobile phone?
Good luck cramming those 2 capacitors, each 3cm in diameter and 5cm in length, into your tiny phone, John!
Actually super capacitors are pretty common place these days. You can get Farad range caps no problems. If youb want to go to the extreme then look no further than KERRS in F1 cars - they use capacitors to store electricity, and they get 80hp out of them.
I remember seeing a pocket radio that had a supercap instead of a battery. If they keep improving them then we may end up using supercaps instead of batteries in phones too.
Is there any utility capability in these batteries for Boeing? Sounds like Boeing could string a dozen or so of these along the lower bay and have them power all sorts of things... Maybe they coud even be under a membrane on the skin of the fuselage so if they cause problems, just do a fly-by-wire yank and jettison the cap. Or, if it is not self-fueling, self-consuming, just kill the wire feeds.
Well the idea is not bad, if the capacitors would sitt in ram, it would be easy to manufacture ram that on power-cut would zero it's own content memory. No need to power up the whole phone for that task.
And if you don't want to build that feature into the ram chips, then make a small battery that can do it. However the zeroing of the ram chips should not be a OS feature.
If you want to be completely secure you build this as a hardware feature onto the ram chips.
You don't need enough power to run the device, only enough power to zero the RAM.
The case should have a tamper switch that would trigger it.
In software you could also define other triggers such as extreme temperature (and provide override functionality if desired).
All that is probably needed to stop that working is a little more sophistication than 'whipping the battery out and in as quick as possible'. Just holding the CPU in reset or even shorting the power rail to 0V as the supply is pulled will discharge the capacitor and stop the CPU from doing the zeroing of memory.
It adds an extra layer of protection that needs defeating but won't make a phone secure against attack. And if an attacker is after the information (rather than just fishing) they will probably be prepared to put that effort in. In fact there are almost certainly other ways to attack the phone and get a memory dump without having to freeze it so, while it's a novel attack vector, it's far from the only one.
IIRC higher security devices like HSMs do have something like this implemented. It doesn't just activate on power-down, it will also be triggered if someone opens the box; that's why those devices have a higher FIPS 140-2 cert than regular mobile devices.
But then HSMs are 1U rack devices, not sure if that mechanism is small enough to fit inside a phone...
Intel 320 SSDs include six 470µF capacitors to write the contents of RAM to flash (unwritten user data isn't stored in RAM, but the FTL maps are) They have pretty much the same size/volume as a mobile phone, so if they fit in the SSD they can fit in a phone.
However, you don't need to do that. Just have a really tiny built in battery alongside the main removable (well in most, but not all Android phones) battery. So that if the main battery drains or is removed there is still the tiny secondary battery to do whatever is necessary for a clean shutdown.
Best of all, always zero out the RAM first thing in the boot process. I assume Android probably does this, but the use of the "fast boot" probably skips that step. Don't skip that step and make your fast boot a little slower, and this attack will be thwarted.
Of course, anyone who has your phone in their possession can freeze it and disassemble it to remove the RAM chips and read them. Not exactly a "do at home" task, so while this wouldn't allow a jealous husband to read his wife's texts, it would allow a corporate spy to snag the competition's secrets.
Unless a phone is built to be tamper proof, which AFAIK no consumer phones are, the RAM removal attack will work for any OS - assuming you can figure out where in RAM the encryption key is kept. That will be easier on Android since you have source than it would be on closed source operating systems like iOS, WP8 or BB. But once you find it, it will presumably be simple to find again on other phones of the same make. ASLR may mean the high bits are different every time, but it will be in the same location on the page each time with the same stuff around it.
Of course, anyone who has your phone in their possession can freeze it and disassemble it to remove the RAM chips and read them. Not exactly a "do at home" task, so while this wouldn't allow a jealous husband to read his wife's texts, it would allow a corporate spy to snag the competition's secrets.
I don't know - disassembling a phone could well be an at-home task for many folks. I've never tried taking apart a modern smartphone, but I've done plenty of workbench PCB mods on consumer devices in my day. Phones are smaller, with smaller feature sizes and surface-mount components and other complications, but I don't see why you couldn't have the necessary equipment at home. Nothing excessively expensive, bulky, power-consuming, sensitive, etc is required, as far as I can tell.
That said, though, changing the phone design so that the attack is difficult to mount without disassembly does increase the work factor significantly, and it removes the currently-plausible scenario of an undetected attack - where the attacker steals the phone, gains access, copies data and/or installs malware, and returns the phone with the victim none the wiser.
you are right... and this is how govt agencies survive... move your sight across other similar things not being improved.
Fake passports: there can be 101 ways to further improve but it will stop CIA and like to move around a litle more difficultly.
Nikon D4s: no wehere to be seen yet cuz at 204,8000 ISO .... U.S night visions companies will start to starve.
Which goes to show how laughable FIPs is.
There's very little protection on BB from malicious apps. For instance apps can even inject keypresses. So, one bad app and "all your data are ours". The only reason that BB is used safely, is that they tend to be locked down by the company IT department.
-Mook
"There's very little protection on BB from malicious apps. For instance apps can even inject keypresses."
All those actions require the permissions to do so being granted by the user. You can actually block apps from doing such things by setting an explicit Deny on those ops, having a granular security model allows BB to do that.
iOS, as far as I remember, *doesn't* have that granular security, thus the iMob (?) apps were able to grab personal info and send it to the devs. Android might have those safeguards, being based on lookalike-Java; BB has that security model because of Java. I do wonder if they kept it for BB10, though...
So somebody repeated the cold boot attack from 5 years ago on a mobile phone?
Yes. What's interesting here is:
- Demonstrating it on a mobile phone
- The fact that mobile phones are, er, mobile, which makes it easier to grab a phone and carry the attack out at your leisure (and makes it easier to fit in your freezer, for that matter)
- The FROST software, which goes a long way to automating the attack; this is nearly at script-kiddie level of simplicity
This is how security research works. When Matsui invented linear cryptanalysis and demonstrated it against DES, everyone didn't just say "oh, that's nice", and then forget about it. They tried attacking other block ciphers with LC. When AlephOne wrote "Smashing the stack for fun and profit", people went out and conducted a whole bunch of stack-smashing attacks to see what was vulnerable and refine the technique. Just because an idea's been published once doesn't mean there's no benefit in extending it to another target.
If future bootloader versions randomise RAM on startup this exploit vanishes. Won't help current devices though.
I've always said, if they get physical possession of the device assume your data can be read. This is just one way to do it without dismantling the phone. Does appear that drive encryption is still effective with the default locked bootloader. Unlock it and you should know the device is compromised, you unlock to hack them after all.
I think the only reasonable way to deal with this is to change the nature of the RAM itself so when the supply voltage drops below a certain threshold all cells are zeroed. This might be done by making a normally negative substrate go to the (decaying) positive rail. It would only have to remain there for a few nanoseconds which could be engineered by some quite small internal caps - that's what the cells are basically anyway.
Whether the benefits would outweigh the costs is left as an exercise for the students :)
I thought so too, but reading the references makes it clear that this really is a room-temperature demonstration. At 10C they've got a second or two to read the ram, and that's all they need.
That said, it's clear that this only affects people who are actually using encryption for some valuable reason, ie 0.0% of all users.
I'm still puzzled. From their own instructions:
5) Let the phone inside a -15 degree Celsius freezer for about 60 minutes.
6) After an hour, the phone temperature should be below 10 degree.
Yes, I'd expect a frozen frosticle after an hour.
But then they show a thermometer with a reading of 8 degrees...
They'll lock the phone completely for some time after a number of failed attempts. Trying it via the usual entry means would work, eventually, but take a lot of time. You'd need to make something like a little robot that could operate the touchscreen.