A pair of researchers at Erlangen University in Germany have shown that a trick known as a “cold boot attack” can read data from a Samsung Galaxy Nexus running the latest version of Android, even when the phone is protected by a PIN and has its storage disk encrypted.
They call their technique FROST, or Forensic Recovery of Scrambled Telephones. By simply cooling the phone to around five degrees Fahrenheit and quickly rebooting it, they found data could be read from its memory. The researchers found that in that cold state, they could quickly remove and replace the battery while holding the phone’s power and volume buttons, which causes the phone to quickly reboot in “fastboot mode.”
This allows them to offload the phone’s RAM via USB while it still contains the cold, digital leftovers from before it was switched off. Among the data stored in that RAM, the researchers found the key to the phone’s encrypted storage disk, which in some cases might give them full access to the device. But that final step would only work in phones with an unlocked bootloader. In its latest version, Samsung locks the bootloader and automatically wipes the user partition if it’s unlocked, preventing them from using the trick.
Even then, the researchers can access all data stored in RAM. Given that phones are rarely switched off, that often contains a significant cache of sensitive personal data. They found they could recover fully intact address book contacts, thumbnail photos, and Wi-Fi credentials, and partially recover calendar entries, emails, text messages, high-resolution photos, and Web history.
Mueller says there are no easy defenses against the attack, other than turning a phone off before it’s out of the owner’s possession. Rebooting a phone more often may also leave less sensitive data in its memory. They haven’t yet tested the attack on other phones, but believe that it would likely be much more difficult on iOS.