14
Feb
Screen-Shot-2013-02-14-at-1.17.11-PM

Put this one in the "weird but true" pile - researchers at Erlangen University in Germany have managed to dump the contents of a Galaxy Nexus's RAM... which doesn't sound exciting. Except for the fact that the phone had a PIN-protected lockscreen and encrypted internal storage. The technique used, known as "FROST" (clever acronym there, guys), has been demonstrated on computers before.

Step 1.) put the (powered-on, if it's off you lose the valuable RAM contents) phone in a really, really cold freezer. Step 2.) develop software that allows you to dump the active memory from an Android smartphone via USB (you might want to do this before step one). Step 3.) Pull the battery (or turn the phone off, though this may cause issues), boot into fastboot, run the dump software, and voila - data stolen.

Screen-Shot-2013-02-14-at-1.15.07-PM

The trick here is more physics than computer hacking - while RAM is a volatile storage medium (it requires an electrical current to maintain the data it stores), it's not in the "on/off" switch sort of way you might think. When the RAM loses power, it maintains the integrity of the data it stores for a brief time. At room temperature, this is usually a couple of seconds. At 5 degrees Fahrenheit, though, the level of resistance in the memory's circuitry is reduced, magic happens, and the data is retained for a longer amount of time. In this case, around six seconds, which is enough time to dump the contents of the RAM over USB.

The researchers claim they can go a step further and recover the device's decryption keys in RAM, but actually using those keys to any effect would require an unlocked bootloader. Is this something you should be concerned about? Probably not. Is it a neat science experiment? Definitely.

Forbes

David Ruddock
David's phone is whatever is currently sitting on his desk. He is an avid writer, and enjoys playing devil's advocate in editorials, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • http://lex.io Lex Rivera

    Very old tech. Same way (with some special hardware, of course) you can recover data from frozen RAM modules in PC/Notebook.

    • http://www.androidpolice.com/ David Ruddock

      "The technique used, known as "FROST" (clever acronym there, guys), has been demonstrated on computers before."

      • http://lex.io Lex Rivera

        Somehow i missed that part. Will be more careful.

      • http://codytoombs.wordpress.com/ Cody Toombs

        You said it perfectly, and I'm not trolling you or even Forbes, but this whole thing feels like such old and irrelevant news.

        Previously, it was impressive and interesting because it was truly new. It also carried the added challenge that they had to somehow transport a powered desktop or server from the place where it was currently powered on to a place where it could go into a deep freeze. The chassis also had to be removed and the RAM was hooked up directly for data extraction.

        In this case, it's 5 years later (thus, better tools), the device has a battery, and they are taking advantage of fastboot, so they don't even have to open up anymore than the battery cover (as opposed to ripping into the guts of the computer). I'm not saying it was a completely unimpressive feat... but to anybody who was familiar with this story when it first broke, it's hard not to just say 'duh'.

    • ProductFRED

      I was going to say, I've seen this done with an upside-down aerosol can (like the compressed air cans used to clean computer components) and a desktop computer.

  • ERIFNOMI

    Someone find that burn notice clip. I watched a 60 some year old lady try this.

    • popcicle

      Oh ya! She used an upside down compressed air canister.

  • http://www.facebook.com/profile.php?id=1569417452 Tyler Watthanaphand

    Computers are vulnerable to this, some high security systems have temperature monitors that clear the contents of the ram when the temperature reaches below 40 degrees.

  • Theratchetnclank

    This has been known for a while. The same method is used to gain encryption keys from the TPM chip on bitlocker machines.

  • Drew M

    The bootloader has to be unlocked to have any chance of pulling this off. They acknowledged this in the article.

    • h_f_m

      Not only that, 4.2.2 would make this even more impossible if you have a lock screen.

      • http://codytoombs.wordpress.com/ Cody Toombs

        Unless I've misunderstood, fastboot isn't affected by the ADB Whitelist. In fact, neither is recovery, which is why re-locking the bootloader is still recommended.

        • h_f_m

          That's what I mean. It would not be possible to unlock your bootloader if you had a lockscreen and 4.2.2, versions before that are not safe even with a lock screen if I recall correctly.

          • http://codytoombs.wordpress.com/ Cody Toombs

            Unlocking the bootloader (at least on Nexus devices) is always done from fastboot, which is always (and only) reachable when you restart the phone. Fastboot mode is in no way affected by the lockscreen, device encryption, ADB Whitelist, or any of the other stuff. If I'm holding your phone, no matter how much security you've put in place, I can always force the phone to restart into fastboot, plug it into a computer and unlock the bootloader. That's why unlocking the bootloader automatically wipes physical storage. I've read about no changes in 4.2.2 that apply to fastboot.

          • h_f_m

            Right you are. Thanks. At least it also means the freezer trick is nullified if your bootloader is still locked.

  • Swede

    So in Sweden my RAM nerver empties wintertime... *not forever alone*

  • Elias

    FBI is not amused when their methods get to public knowledge.

Quantcast