A team of researchers in Germany has demonstrated a surprising attack on Android phones, where they managed to grab stored cryptographic keys. This time experiment distinguished itself by requiring that the target phone first be chilled in a freezer for an hour.
At issue are the encryption tools rolled out for Anroid 4.0, aptly named Ice Cream Sandwich. “For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks,” wrote the team from Erlangen’s Friedrich-Alexander University.
“On the downside, scrambled telephones are nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.”
“Ice” to See You, Private Data
Because information fades more slowly from RAM chips when they are very cold, the team had a critical window of opportunity to snag the cryptographic keys. The technique is called a “cold boot” attack, and has reportedly been shown to work on computers in the past. The team notes that their experiment demonstrated that such attacks work on a variety of devices, including mobile phones.
First, they placed the target phone in a freezer. Their goal was to keep the phone at around -15C for about an hour. Interestingly, they reported that this appears not to damage the phone.
Once it was adequately cold, the team quickly disconnected and reconnected the battery. Because the device they used to demonstrate the attack did not have a reset button, they wrote that the phone should be unpowered for no more than 500ms.
Then, they activated the phone’s “fastboot mode” by holding the power button and volume button at the same time. In this mode, the team was able to run their software and recover the keys to decrypt the device’s user partition.
The team also noted that they could potentially access other information, “such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked.”
While startling, it’s important to remember that this attacks isn’t easy to pull off. For one thing, an attacker would need physical access to your phone, and (very, very) cold freezer for over an hour. It also requires a thorough knowledge of Android, and lightning reflexes to perform the battery disconnect/fastboot maneuver.
The team also conceded that, “to break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking.”
It’s worth noting that while this attack has only been demostrated to work on Android 4.0, 28.6 percent of Android devices still use this version of the OS.
In short, this is a tricky hack to pull off. But while it might not be feasible for most, it does demonstrate that no security system is entirely safe. So the next time you see some slinking off to the freezer with a cellphone in their hand, make sure it’s not your data they’re trying to steal.