Unscrambling an Android Telephone With FROST 55
Noryungi writes "Researchers at the University of Erlangen demonstrate how to recover an Android phone's confidential content, with the help of a freezer and FROST, a specially-crafted Android ROM. Quite an interesting set of pictures, starting with wrapping your Android phone in a freezer bag."
Why do freezers always seem to help recover data? (Score:5, Informative)
Re:Why do freezers always seem to help recover dat (Score:5, Informative)
To expand on why this works.
The RAM in a phone is dynamic RAM.
It does not store data when unpowered, but needs that data to be periodically refreshed many times a second.
It turns out, that especially when cooled, the RAM may in fact retain information for some period short enough to allow the device to be unpowered and repowered, and essentially retain all its data. (there may be a few errors).
This, combined with booting into a new OS which then allows you to dump or do other things to the RAM enables the attack.
Re:Why do freezers always seem to help recover dat (Score:5, Informative)
Actually, the period can be quite significant. One of my projects involved a kernel that could only dump messages to RAM. To get it out, I'd reboot the board and dump the log buffer. At regular room temperature, but elevated board temperature (jthe CPU was running for a good tilt so the board heated up), a power cycle (under 1s) would let you read it out perfectly. After 10s off, you could see corruption but was mostly readable. After 30s or so, it was barely readable.
It appears the main physical phenomena is that the memory capacitors "distort" ever so slightly so the RAM doesn't completely powerup randomly, but is influenced by what was held there previously. It's a time related thing as well - a memory cell that was rapidly cycled would tend to have a lower time before corruption than a cell which held data staticly for a long time. Since encryption keys tend to fall in the latter, the memory tends to stay that way a bit longer (unless the code periodically switches memory buffers and scrubs the old one - it doesn't take much - just store a new pattern in then and it'll overwrite the old one).
Sections 7 and 8 of the famous Gutmann paper [auckland.ac.nz] detail this effect in memory as well (you may recall the paper dealt with recovery of data off hard drives - but it also dealt with semiconductor nonvolatile memory as well).
A followup paper(PDF) [cypherpunks.to] goes into more detail on semiconductor memory including flash storage.