‘FROST’ Exploits Memory Vulnerability To Access Data

February 16, 2013 - Written By Norman Yan

If you thought encrypting the disk and placing passwords on your phone will protect it from any dubious individuals stealing your sensitive information you would be wrong. Using a technique first demonstrated on PCs back in 2008, a pair of researchers in Erlangen University in Germany used a ‘cold boot attack’ to read data off a Galaxy Nexus running the latest version of Android, even though the device was both encrypted and had PIN protection. The researchers, Tilo Mueller and Michael Spreitzenbarth found they could still access data from the phone’s memory, which included images, emails, web history and potentially the encryption key. This method of extraction developed by the researchers is called ‘FROST’, which stands for Forensic Recovery of Scrambled Telephones.

The technique exploits the ‘remanence’ effect, where the phones memory remains intact for a few seconds even without a power source. While this normally lasts for only 1 or 2 seconds at room temperature, by decreasing the temperature of the phone to around 5 degrees Fahrenheit or -15 degrees Celsius for the metrically inclined, the effect lasts for around 5-6 seconds, which is enough time to download the phones memory via USB using Fastboot.

While the phone’s memory does contain the key to the encrypted data disk, to use the key to access this data requires an unlock bootloader, and by default the bootloaders of phones are typically locked, and the process to unlock them involves wiping the phone, which prevents that particular exploit, however if you have a phone with an unlocked bootloader, you will be vulnerable to this type of attack. Despite that there are still significant amounts of data stored on the phone’s memory as a part of a cache; which is a type of memory storage used by the phone to give the phone snappier interface and faster start-ups. Information stored on a cache can include photos, contacts, web history and emails.

Mueller states that this particular attack is hard to defend against, since it does exploit a physical hardware trait, but he does state that simply switching the device off since that does clear the memory cache of files; however they have pointed out “smartphone are switched off only seldom”, meaning larg amounts of data will cached on a phone’s memory.

Their paper on FROST is yet to be published, but is intended to be used as a both a warning to users as well as a tool for law enforcement forensics to help gain evidence. So to what you can do to prevent your sensitive information from being stolen, you can reboot your phone once in a while to clear the cache, and keep your bootloader locked.

Source: Erlangen