1. FREEZING THE ANDROID
ICE CREAM SANDWICH
A COLD NEW WAY TO BYPASS ENCRYPTION ON
MOBILE PHONES
Research by: Tilo Muller, Michael
Spreitzenbarth and Felix Freiling of
Friedrich-Alexander University (FAU)
Presentation by:
Matthew Kwong
2. ANDROID OS 4.0 - ICS
• A new security feature on the ICS operating system
for Android smartphones scrambles user partitions
• Think of it as a second layer of security to protect
against attacks which bypass the lock screen (PIN
input)
• Even if the lock screen is bypassed, information still
cannot be obtained
• If the device powers down, there is no way to break
security except with brute force
3. Attacker Lock
Screen
Scrambled
Partitions
Data
•Attacks which attempt to figure out the PIN is
shown by the red path (social engineering)
•Attacks which bypass the lock screen is shown
in green (command prompt)
•Either way, both routes would be unable to
recover data because the partition itself is
scrambled
•But what if there is a way to bypass everything
and go straight for the data (in blue)?
4. RANDOM ACCESS MEMORY -
RAM
• RAM is memory which loses all its data when powered off
• But this does not happen right away – it takes 1-2 seconds
on average for data to fade into an unreadable state
• Furthermore, the electrical charge on memory chips fades
more slowly if the chip is chilled
• In other words, if you physically freeze the RAM, it will
lose its data at a slower rate then if it was at room
temperature
5. FORENSIC RECOVERY OF
SCRAMBLED TELEPHONES -
FROST
• Researchers physically chilled the Android phone in
order to grab data directly from the RAM
• By rapidly power cycling the phone and rebooting it
from an external USB, researchers could reboot the
phone using their own program before data
disappeared from the RAM
• More specifically, the researchers would reboot using
a forensic program called FROST, which quickly takes
an image of RAM contents before it fades
6. 0 seconds 0.5 seconds 1 second 2 seconds 4 seconds 6 seconds
A ‘Droid’ bitmap in RAM on Galaxy Nexus
after powering off at room temperature
•As you can see, the image starts to fade after
1-2 seconds – not enough time to make a copy
•Remember that the power must be turned off
and on, the USB plugged in and FROST run
before the data becomes incomprehensible
7. Percentage of
Data Lost
Time Elapsed (In seconds)
•The optimal line is close to the lower right – long
time elapsed but small percentage of data lost
•As the temperature moves closer to freezing
point, results improve
8. The same ‘Droid’ Bitmap on RAM
after powering off at 5-10°C
4 seconds1-2 seconds
4+ seconds – Data loss accelerates from here
•The key point is that bringing the phone close to
0°C significantly reduces the speed of data loss
•Whereas at 4 seconds data has almost entirely
faded, there is only 25% loss at 5-10°C
•This gives investigators enough time to grab an
image of RAM contents to be analyzed later
Data taken and copied here
9. THE PROCESS OF FROST
You want to gain
access to a phone,
but do not have
the PIN
Place the phone
inside a freezer
Chill the phone to
- 15°C for 60mins
Check to see if the
phone still works by
hitting the power button
Quickly disconnect and
reconnect the battery
(power cycling)
This forces the
phone into Fastboot
(a vulnerable mode)
Connect the phone
through USB to a
computer installed
with FROST
The FROST
program will take a
recovery image of
the RAM
If the decryption
keys are found,
reboot phone and
collect further data
10. SOME ADDITIONAL
DETAILS
• FROST has the ability to search through memory for decryption
keys – it will look for blocks of data that resemble the output of
the AES algorithm used in Android phones
• The main goal is to find the decryption keys – but FROST may
also recover other sensitive information such as contacts and
web history
• This hack is unique in that it mainly targets a hardware loophole,
not software
• Disclaimer: Before you try this at home, be aware that phones
are not meant to be frozen and power cycled – it may or may not
survive
11. NOW FOR THE FINAL
QUESTION: COULD THIS EVER
HAPPEN TO YOU*?
*Note: This is not a discussion question.
•While this sounds like a novel approach to
bypassing security, how feasible is it?
•The main drawback to FROST is that it requires
direct physical access to the phone in question
•The owner of the phone would also have to be
absent, since is likely no sane person would allow
investigators to put his or her phone in the freezer
•But what if it is actually not that difficult to have
your phone seized?
12. CONSIDER THIS...
• Victoria police chief Jamie Graham has made a new
recommendation: to seize the mobile phones of
distracted drivers
• Under this proposal, distracted drivers could lose
their phones for 24hrs following a second offence
and 3-5 days for subsequent offences
• PROPOSAL, not law – still needs to be debated and
presented to the provincial government
• Only applies to British Columbia
13. TREADING ON THIN ICE
(NO PUN INTENDED)
• Of course, the police never explicitly state they will search your
phone within the 24 hours that they have access to it
• That said you do not have to be a dangerous criminal to have your
phone seized
• Simply use your phone while driving (including at red lights) and
the police may take your phone
• Once seized, police theoretically could search your phone using
FROST or other methods
• In terms of legal rights the searching of phones is still a grey
area – may or may not be allowed
14. SO WHY IS THIS
MENTIONED?
• Ultimately legality is not the issue (most responses have
been negative)
• Regardless of whether this becomes law or not, it shows
that law enforcement is moving in the direction of
physically seizing phones
• Physical possession of a phone makes attacks such as
FROST feasible
• Furthermore physical possession of someone else’s phone
is not as difficult or extreme a response as you might
think
15. SO IF YOUR ANDROID IS EVER
RETURNED COLD, BE WARNED: YOU
MAY HAVE BEEN HIT BY FROST (NOT
THE WATERY KIND)
Sources Used:
•FAU - http://www1.cs.fau.de/frost
•Naked Security - http://nakedsecurity.sophos.com/2013/02/18/can-
freezing-and-android-device-crack-its-keys/
•The Province -
http://www.theprovince.com/news/bc/Police+could+seize+mobile+phones+hou
rs+they+proposed+changes/8069132/story.html
•Wallpapers – opera.com, deviantart.com, alphacoders.com, nice-cool-pics.com
•Android image is courtesy of FAU; graph is courtesy of Naked Security