Share This article
The attack vector used by Tilo Müller, Michael Spreitzenbarth, and Felix Freiling is referred to as a cold boot attack. Cold booting (or hard booting) is where you reboot a system by cutting the power completely, and then turning back on. When you restart a computer normally (i.e. a warm reboot), there are usually processes in place that clear/sanitize the system’s memory — but by cold booting and bypassing these processes, the contents of any RAM are preserved.
“But RAM is volatile,” you decry. “RAM loses its data as soon as power is cut,” you plea — and yes, to an extent, you are right. RAM is volatile, and it does require regular spikes of power to retain its data — but when power is cut, it actually takes a few seconds or minutes for the data to be lost. If you have some way of reading the RAM, you can extract all sorts of sensitive information — most notably, the encryption key used to encrypt the local hard drive or flash storage. This fault (feature?) is called data remanence, and it also refers to the tendency for hard drives and other magnetic media to preserve data, even after being wiped.
Reading RAM is difficult, though. In the case of larger computers, you can physically transplant the stick of RAM into another computer, and read off the memory contents there. With embedded devices, such as smartphones, you don’t have that option — which is where FROST (Forensic Recovery Of Scrambled Telephones) comes in. In short, FROST is an Android recovery image — a lot like ClockworkMod — that gives you access to any data stored in RAM after a cold boot. From the main FROST menu, you can attempt to recover the full-disk encryption (FDE) keys from RAM, or simply dump the entire contents of RAM via USB to another PC for further analysis. (See: Full disk encryption is too good, says US intelligence agency.)
Now, as we mentioned, it can take anywhere from a few seconds to a few minutes for RAM to lose its data. One of the variables that causes this variance is temperature; by cooling RAM down, it preserves data for longer. In one particularly awesome research paper [PDF], liquid nitrogen has been shown to preserve DRAM contents for an entire week. In this particular case, though, the security researchers placed a Samsung Galaxy Nexus into a freezer for an hour, until the phone’s internal temperature dropped to 10C (50F). Then, by quickly removing and inserting the battery (it must be done in under 500 milliseconds), and entering FROST, they were able to make a complete dump of the phone’s RAM. Without the freezer, the phone’s RAM would lose its data before it could be recovered.
While FROST is notable as the first successful example of a cold boot attack on Android, FROST is just the latest in a long line of cold boot attack tools. In a world where full disk encryption is the norm rather than the exception in criminal circles, the ability to recover encryption keys from memory is of vital importance to the FBI, CIA, and other intelligence agencies around the world. It is now standard practice for some police forces to absolutely make sure that computers are not turned off during raids, until they have been fully scanned for encryption keys and any other data that might still be in RAM. There are defenses that can be employed against cold boot attacks, such as not storing encryption keys in RAM, but for now it seems that Android at least is still vulnerable.
New funny hack Click here
0 comments:
Post a Comment