Hackers and data recovery specialists alike could soon be turning to a new technique that under the right conditions can allow for the harvesting of personal information from phones, even after they’ve been frozen.
A group of German researchers from the University of Erlangen-Nuremberg have discovered a new way to potentially scrape encrypted data from Android phones after they’ve been stowed away in a freezer for an hour or so.
The group’s method involves extracting valuable RAM information from a phone, in particular the Samsung Galaxy Nexus, using a “cold boot attack.”
The technique makes use of both Android 4.0’s disk encryption and the device’s “remanence,” the bits of residual information that hang around after it’s either been erased or the device has been powered off.
The group behind the attack, Tilo Mueller and Michael Spreitzenbarth, both researchers at the school’s Department of Computer Science, detail their discovery in an aptly titled paper: FROST, “Forensic Recovery Of Scrambled Telephones” (.PDF) available here.
First the researchers lowered the temperature of a phone to about five degrees Fahrenheit. The colder the device is, the longer it takes before its RAM will fade away. From there, the two removed the phone from the freezer and quickly removed the battery from the device. While doing that the two held down both the power button and the volume buttons simultaneously to send the phone into “fastboot” mode. In fastboot mode the phone can normally be connected to PCs via USB but in this case, they took those split seconds to quickly flash their recovery image (frost.img) onto the device.
From there, they selected “Recovery Mode” and booted the phone up using their own FROST mode to decrypt the user’s partition.
The group’s paper notes that “RAM contents are necessarily left unencrypted” on these phones and with a little physical know-how, can be read.
Through the technique the two were able to partially and fully uncover “emails, photos, contacts, calendar entries, WiFi credentials, and even the disk encryption key” on the device.
The disk encryption key would really only come in handy if the user had left his phone’s bootloader unlocked. Since Google routinely wipes the user’s partition if it’s attempted to be unlocked, “these partitions get zero-filled“ and according to the paper, it “as a consequence … becomes pointless to retrieve encryption keys from RAM.”
The group notes that since cellphones get switched off so infrequently, they can still contain a valuable cache of information and since the group’s technique doesn’t require the prior installation of software, their attack can still prove useful.
The two found they were able to fully recover address book contacts, thumbnail pictures, WiFi credentials and full chat transcripts from the popular app WhatsApp. The two were even able to recover plaintext passwords and countless bits of webpage residue like site logos and HTML. All in all, dozens of bits of personal information were harvested from the phone’s RAM.
Going forward the two hope to implement the attack on more Android phones than just the Galaxy Nexus and find a way to glean even more information from the phone’s RAM, including “GPS coordinates and the list of recent phone calls.”
For a complete rundown of the group’s work, including a series of photographs diagramming the attack, head to the school’s Department of Computer Science site.
