Android Freezing Security Flaw
Android has earned praise recently for its encyrption and other security features, leading certain Android smartphones to be taken up by governments and businesses that would have traditionally only used Blackberry. But today that sense of security has been rapidly undone as a group of German researchers found the encryption could be broken with a simple household device: a freezer.
The team in Germany found they were able to access photos, messages and more encrypted data on the Android phones despite the recent addition of strong security in the Ice Cream Sandwich update which enables disk encryption on the phones.
Effectively the encryption relies on the short time that the keys are stored in the RAM of a device before disappearing. The German team knew that RAM lost the contents of its memory slower at lower temperatures, so placed the phone in a freezer at around -15 degrees Celsius.
The difference is apparently between the RAM losing its data in about 1 to 2 seconds at 30 degrees to about five to six seconds at the freezer temperatures. This might not sound much difference, but the 1 to 2 seconds wouldn’t allow time to access terminal and thus the memory, while 5 to 6 seconds does. The technical term for the process is remanence.
After the phone had been frozen for an hour they removed and put back in the battery quickly, which would usually have led to the keys being deleted meaning users would have to input their passcode again to get into their phones. But because the RAM was cold it hadn’t deleted the keys yet, so their software was able to access these which would have given it access to the contents of the phone such as messages, contacts, photos and more.
The team at the University of Erlangen led by Tilo Mueller and Michael Spreitzenbarth called this cold boot attack FROST meaning Forensic Recovery of Scrambled Telephones. It is similar to an old technique used on computers that was demonstrated by Forbes magazine in 2008.
While it’s unlikely many amateurs would try this method because of the effort and software required, it’s potentially being used by governments and corporate hackers already on stolen smartphones.
Of course prior to the Ice Cream Sandwich update the encryption system didn’t exist and most of us were fine with our Android phones, so there’s no real reason to be worried unless you store sensitive information and fear your phone might be stolen for access to it.
Some users might be put off Android because of the flaw. Indeed recent articles in big publications like BBC News despite pointing to the fact most users won’t be affected will likely lead some to choose alternative platforms when they don’t need to. Sadly for Google there’s probably not much that can be done about the security flaw in the immediate future as Smartphone manufacturers often don’t push out Android updates fast enough to make any fix effective, and because fixes involving RAM are more complex and will need extensive testing across devices before they can be released to the public.