Researchers at the University of Erlangen-Nuremberg in Germany have developed a chilling way to recover data from encrypted Android devices.
The Android 4.0 operating system, known as ‘Ice Cream Sandwich’ offers its users full disk encryption as standard to protect sensitive data on lost or stolen devices. This feature does however have to be activated by the end user. Once activated the encryption software permanently scrambles all passwords, codes and security data on the phone, meaning access to this information is only granted to users with the correct password or pin.
Disk encryption is a great security feature, especially for the increasing number of mobile devices that are easily lost, misplaced and stolen. Encryption can however cause problems further along the chain, in the case of legal situations and IT forensics. This is why the German researchers have developed FROST – Forensic Recovery of Scrambled Telephones, a program designed to extract encrypted data from Android devices.
FROST requires two types of cold boot attack in order to access scrambled data, one more literal than the other. Firstly the device must have the power cut, for example removing the battery and not allowing the OS to shut down properly. Once this has been done the phone gets the real cold treatment by lowering its temperature to below 10°C, how to do this you ask? Pop it in the freezer! An hour in a freezer will lower the temperature enough for the encrypted information to be retrieved.
The reason the device must be chilled to a low temperature is that the RAM chip won’t wipe instantly, the information gradually fades away. This gives an optimum window of opportunity to retrieve encrypted data, freezing the chip essentially freezes this fading. The colder the chip, the longer period of time granted for potential recovery.
When the frozen device is restarted a combination of buttons must be hit to boot it into fastboot mode, when activated this mode allows the phones RAM to be searched for AES encryption keys, once found the data is open for decryption by booting FROST. Contacts, messages, images and much more were retrievable using the freezing FROST method.
The research was carried out using a Samsung Galaxy Nexus handset. The university will next test the same method using various other Android devices to give a clearer image of how and where the frosty technology could be used.