SlideShare une entreprise Scribd logo

Freezing Android Bypass

Télécharger en tant que PPTX, PDF
M
Matthew Kwong
1  sur  15
FREEZING THE ANDROID ICE CREAM SANDWICH A COLD NEW WAY TO BYPASS ENCRYPTION ON MOBILE PHONES Research by: Tilo Muller, Michael Spreitzenbarth and Felix Freiling of Friedrich-Alexander University (FAU) Presentation by: Matthew Kwong
ANDROID OS 4.0 - ICS • A new security feature on the ICS operating system for Android smartphones scrambles user partitions • Think of it as a second layer of security to protect against attacks which bypass the lock screen (PIN input) • Even if the lock screen is bypassed, information still cannot be obtained • If the device powers down, there is no way to break security except with brute force
Attacker Lock Screen Scrambled Partitions Data •Attacks which attempt to figure out the PIN is shown by the red path (social engineering) •Attacks which bypass the lock screen is shown in green (command prompt) •Either way, both routes would be unable to recover data because the partition itself is scrambled •But what if there is a way to bypass everything and go straight for the data (in blue)?
RANDOM ACCESS MEMORY - RAM • RAM is memory which loses all its data when powered off • But this does not happen right away – it takes 1-2 seconds on average for data to fade into an unreadable state • Furthermore, the electrical charge on memory chips fades more slowly if the chip is chilled • In other words, if you physically freeze the RAM, it will lose its data at a slower rate then if it was at room temperature
FORENSIC RECOVERY OF SCRAMBLED TELEPHONES - FROST • Researchers physically chilled the Android phone in order to grab data directly from the RAM • By rapidly power cycling the phone and rebooting it from an external USB, researchers could reboot the phone using their own program before data disappeared from the RAM • More specifically, the researchers would reboot using a forensic program called FROST, which quickly takes an image of RAM contents before it fades
0 seconds 0.5 seconds 1 second 2 seconds 4 seconds 6 seconds A ‘Droid’ bitmap in RAM on Galaxy Nexus after powering off at room temperature •As you can see, the image starts to fade after 1-2 seconds – not enough time to make a copy •Remember that the power must be turned off and on, the USB plugged in and FROST run before the data becomes incomprehensible
Percentage of Data Lost Time Elapsed (In seconds) •The optimal line is close to the lower right – long time elapsed but small percentage of data lost •As the temperature moves closer to freezing point, results improve
The same ‘Droid’ Bitmap on RAM after powering off at 5-10°C 4 seconds1-2 seconds 4+ seconds – Data loss accelerates from here •The key point is that bringing the phone close to 0°C significantly reduces the speed of data loss •Whereas at 4 seconds data has almost entirely faded, there is only 25% loss at 5-10°C •This gives investigators enough time to grab an image of RAM contents to be analyzed later Data taken and copied here
THE PROCESS OF FROST You want to gain access to a phone, but do not have the PIN Place the phone inside a freezer Chill the phone to - 15°C for 60mins Check to see if the phone still works by hitting the power button Quickly disconnect and reconnect the battery (power cycling) This forces the phone into Fastboot (a vulnerable mode) Connect the phone through USB to a computer installed with FROST The FROST program will take a recovery image of the RAM If the decryption keys are found, reboot phone and collect further data
SOME ADDITIONAL DETAILS • FROST has the ability to search through memory for decryption keys – it will look for blocks of data that resemble the output of the AES algorithm used in Android phones • The main goal is to find the decryption keys – but FROST may also recover other sensitive information such as contacts and web history • This hack is unique in that it mainly targets a hardware loophole, not software • Disclaimer: Before you try this at home, be aware that phones are not meant to be frozen and power cycled – it may or may not survive
NOW FOR THE FINAL QUESTION: COULD THIS EVER HAPPEN TO YOU*? *Note: This is not a discussion question. •While this sounds like a novel approach to bypassing security, how feasible is it? •The main drawback to FROST is that it requires direct physical access to the phone in question •The owner of the phone would also have to be absent, since is likely no sane person would allow investigators to put his or her phone in the freezer •But what if it is actually not that difficult to have your phone seized?
CONSIDER THIS... • Victoria police chief Jamie Graham has made a new recommendation: to seize the mobile phones of distracted drivers • Under this proposal, distracted drivers could lose their phones for 24hrs following a second offence and 3-5 days for subsequent offences • PROPOSAL, not law – still needs to be debated and presented to the provincial government • Only applies to British Columbia
TREADING ON THIN ICE (NO PUN INTENDED) • Of course, the police never explicitly state they will search your phone within the 24 hours that they have access to it • That said you do not have to be a dangerous criminal to have your phone seized • Simply use your phone while driving (including at red lights) and the police may take your phone • Once seized, police theoretically could search your phone using FROST or other methods • In terms of legal rights the searching of phones is still a grey area – may or may not be allowed
SO WHY IS THIS MENTIONED? • Ultimately legality is not the issue (most responses have been negative) • Regardless of whether this becomes law or not, it shows that law enforcement is moving in the direction of physically seizing phones • Physical possession of a phone makes attacks such as FROST feasible • Furthermore physical possession of someone else’s phone is not as difficult or extreme a response as you might think
SO IF YOUR ANDROID IS EVER RETURNED COLD, BE WARNED: YOU MAY HAVE BEEN HIT BY FROST (NOT THE WATERY KIND) Sources Used: •FAU - http://www1.cs.fau.de/frost •Naked Security - http://nakedsecurity.sophos.com/2013/02/18/can- freezing-and-android-device-crack-its-keys/ •The Province - http://www.theprovince.com/news/bc/Police+could+seize+mobile+phones+hou rs+they+proposed+changes/8069132/story.html •Wallpapers – opera.com, deviantart.com, alphacoders.com, nice-cool-pics.com •Android image is courtesy of FAU; graph is courtesy of Naked Security

Recommandé

13디미컨피피티
13디미컨피피티13디미컨피피티
13디미컨피피티heejaekim
 
9주피피티
9주피피티9주피피티
9주피피티heejaekim
 
중간발표 전체피피티2
중간발표 전체피피티2중간발표 전체피피티2
중간발표 전체피피티2heejaekim
 
The unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityThe unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityClaus Cramon Houmann
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesSTO STRATEGY
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
How to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeHow to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeRocket Matter, LLC
 

Recommandé

13디미컨피피티
13디미컨피피티13디미컨피피티
13디미컨피피티heejaekim
 
9주피피티
9주피피티9주피피티
9주피피티heejaekim
 
중간발표 전체피피티2
중간발표 전체피피티2중간발표 전체피피티2
중간발표 전체피피티2heejaekim
 
The unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityThe unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityClaus Cramon Houmann
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesSTO STRATEGY
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
How to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeHow to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeRocket Matter, LLC
 
Android Rooting and Flashing
Android Rooting and FlashingAndroid Rooting and Flashing
Android Rooting and FlashingMuhammad Ehsan
 
Android Rooting and Flashing
Android Rooting and FlashingAndroid Rooting and Flashing
Android Rooting and FlashingMuhammad Ehsan
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesYury Chemerkin
 
Locking down risks from unlocked devices
Locking down risks from unlocked devices Locking down risks from unlocked devices
Locking down risks from unlocked devices Troy C. Fulton
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
Nand mirroring
Nand mirroringNand mirroring
Nand mirroringAndrey Apuhtin
 
128-ch3.pptx
128-ch3.pptx128-ch3.pptx
128-ch3.pptxDeepakPanchal65
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensicsKabul Education University
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
G-TRAP
G-TRAPG-TRAP
G-TRAPManish Patel
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensicsSTO STRATEGY
 
Veilig communiceren power point presentatie
Veilig communiceren power point presentatieVeilig communiceren power point presentatie
Veilig communiceren power point presentatieleonardoleno
 
Smartphones
SmartphonesSmartphones
SmartphonesDrew Shope
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Webrazzi
 
iPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsMariano Amartino
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 

Contenu connexe

Similaire à Freezing Android Bypass

Android Rooting and Flashing
Android Rooting and FlashingAndroid Rooting and Flashing
Android Rooting and FlashingMuhammad Ehsan
 
Android Rooting and Flashing
Android Rooting and FlashingAndroid Rooting and Flashing
Android Rooting and FlashingMuhammad Ehsan
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesYury Chemerkin
 
Locking down risks from unlocked devices
Locking down risks from unlocked devices Locking down risks from unlocked devices
Locking down risks from unlocked devices Troy C. Fulton
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensicsSTO STRATEGY
 
Veilig communiceren power point presentatie
Veilig communiceren power point presentatieVeilig communiceren power point presentatie
Veilig communiceren power point presentatieleonardoleno
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Webrazzi
 
iPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsMariano Amartino
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 

Similaire à Freezing Android Bypass (20)

Android Rooting and Flashing
Android Rooting and FlashingAndroid Rooting and Flashing
Android Rooting and Flashing
 
Android Rooting and Flashing
Android Rooting and FlashingAndroid Rooting and Flashing
Android Rooting and Flashing
 
Comparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniquesComparison of android and black berry forensic techniques
Comparison of android and black berry forensic techniques
 
Locking down risks from unlocked devices
Locking down risks from unlocked devices Locking down risks from unlocked devices
Locking down risks from unlocked devices
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
 
Nand mirroring
Nand mirroringNand mirroring
Nand mirroring
 
128-ch3.pptx
128-ch3.pptx128-ch3.pptx
128-ch3.pptx
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensics
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_same
 
G-TRAP
G-TRAPG-TRAP
G-TRAP
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
 
Veilig communiceren power point presentatie
Veilig communiceren power point presentatieVeilig communiceren power point presentatie
Veilig communiceren power point presentatie
 
Smartphones
SmartphonesSmartphones
Smartphones
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
 
iPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanisms
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu Khimani
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOS
 

Freezing Android Bypass

  • 1. FREEZING THE ANDROID ICE CREAM SANDWICH A COLD NEW WAY TO BYPASS ENCRYPTION ON MOBILE PHONES Research by: Tilo Muller, Michael Spreitzenbarth and Felix Freiling of Friedrich-Alexander University (FAU) Presentation by: Matthew Kwong
  • 2. ANDROID OS 4.0 - ICS • A new security feature on the ICS operating system for Android smartphones scrambles user partitions • Think of it as a second layer of security to protect against attacks which bypass the lock screen (PIN input) • Even if the lock screen is bypassed, information still cannot be obtained • If the device powers down, there is no way to break security except with brute force
  • 3. Attacker Lock Screen Scrambled Partitions Data •Attacks which attempt to figure out the PIN is shown by the red path (social engineering) •Attacks which bypass the lock screen is shown in green (command prompt) •Either way, both routes would be unable to recover data because the partition itself is scrambled •But what if there is a way to bypass everything and go straight for the data (in blue)?
  • 4. RANDOM ACCESS MEMORY - RAM • RAM is memory which loses all its data when powered off • But this does not happen right away – it takes 1-2 seconds on average for data to fade into an unreadable state • Furthermore, the electrical charge on memory chips fades more slowly if the chip is chilled • In other words, if you physically freeze the RAM, it will lose its data at a slower rate then if it was at room temperature
  • 5. FORENSIC RECOVERY OF SCRAMBLED TELEPHONES - FROST • Researchers physically chilled the Android phone in order to grab data directly from the RAM • By rapidly power cycling the phone and rebooting it from an external USB, researchers could reboot the phone using their own program before data disappeared from the RAM • More specifically, the researchers would reboot using a forensic program called FROST, which quickly takes an image of RAM contents before it fades
  • 6. 0 seconds 0.5 seconds 1 second 2 seconds 4 seconds 6 seconds A ‘Droid’ bitmap in RAM on Galaxy Nexus after powering off at room temperature •As you can see, the image starts to fade after 1-2 seconds – not enough time to make a copy •Remember that the power must be turned off and on, the USB plugged in and FROST run before the data becomes incomprehensible
  • 7. Percentage of Data Lost Time Elapsed (In seconds) •The optimal line is close to the lower right – long time elapsed but small percentage of data lost •As the temperature moves closer to freezing point, results improve
  • 8. The same ‘Droid’ Bitmap on RAM after powering off at 5-10°C 4 seconds1-2 seconds 4+ seconds – Data loss accelerates from here •The key point is that bringing the phone close to 0°C significantly reduces the speed of data loss •Whereas at 4 seconds data has almost entirely faded, there is only 25% loss at 5-10°C •This gives investigators enough time to grab an image of RAM contents to be analyzed later Data taken and copied here
  • 9. THE PROCESS OF FROST You want to gain access to a phone, but do not have the PIN Place the phone inside a freezer Chill the phone to - 15°C for 60mins Check to see if the phone still works by hitting the power button Quickly disconnect and reconnect the battery (power cycling) This forces the phone into Fastboot (a vulnerable mode) Connect the phone through USB to a computer installed with FROST The FROST program will take a recovery image of the RAM If the decryption keys are found, reboot phone and collect further data
  • 10. SOME ADDITIONAL DETAILS • FROST has the ability to search through memory for decryption keys – it will look for blocks of data that resemble the output of the AES algorithm used in Android phones • The main goal is to find the decryption keys – but FROST may also recover other sensitive information such as contacts and web history • This hack is unique in that it mainly targets a hardware loophole, not software • Disclaimer: Before you try this at home, be aware that phones are not meant to be frozen and power cycled – it may or may not survive
  • 11. NOW FOR THE FINAL QUESTION: COULD THIS EVER HAPPEN TO YOU*? *Note: This is not a discussion question. •While this sounds like a novel approach to bypassing security, how feasible is it? •The main drawback to FROST is that it requires direct physical access to the phone in question •The owner of the phone would also have to be absent, since is likely no sane person would allow investigators to put his or her phone in the freezer •But what if it is actually not that difficult to have your phone seized?
  • 12. CONSIDER THIS... • Victoria police chief Jamie Graham has made a new recommendation: to seize the mobile phones of distracted drivers • Under this proposal, distracted drivers could lose their phones for 24hrs following a second offence and 3-5 days for subsequent offences • PROPOSAL, not law – still needs to be debated and presented to the provincial government • Only applies to British Columbia
  • 13. TREADING ON THIN ICE (NO PUN INTENDED) • Of course, the police never explicitly state they will search your phone within the 24 hours that they have access to it • That said you do not have to be a dangerous criminal to have your phone seized • Simply use your phone while driving (including at red lights) and the police may take your phone • Once seized, police theoretically could search your phone using FROST or other methods • In terms of legal rights the searching of phones is still a grey area – may or may not be allowed
  • 14. SO WHY IS THIS MENTIONED? • Ultimately legality is not the issue (most responses have been negative) • Regardless of whether this becomes law or not, it shows that law enforcement is moving in the direction of physically seizing phones • Physical possession of a phone makes attacks such as FROST feasible • Furthermore physical possession of someone else’s phone is not as difficult or extreme a response as you might think
  • 15. SO IF YOUR ANDROID IS EVER RETURNED COLD, BE WARNED: YOU MAY HAVE BEEN HIT BY FROST (NOT THE WATERY KIND) Sources Used: •FAU - http://www1.cs.fau.de/frost •Naked Security - http://nakedsecurity.sophos.com/2013/02/18/can- freezing-and-android-device-crack-its-keys/ •The Province - http://www.theprovince.com/news/bc/Police+could+seize+mobile+phones+hou rs+they+proposed+changes/8069132/story.html •Wallpapers – opera.com, deviantart.com, alphacoders.com, nice-cool-pics.com •Android image is courtesy of FAU; graph is courtesy of Naked Security