Access files on locked, encrypted Android phones by putting them in a freezer for an hour


37 Responses to “Access files on locked, encrypted Android phones by putting them in a freezer for an hour”

  1. voiceinthedistance says:


  2. Peter Chylewski says:

    April 1st is yet to come.

  3. Prezombie says:

    Don’t most CPUs have a thermometer gauge to prevent overheating? a simple workaround would be to have the RAM overwrite keys and vital data sets if the CPU gets too cold.

    Edit: Now that I think about it, that’s a weak stopgap solution at best, an attacker could just focus the cold with a can of compressed air on just the RAM.

    The real solution would be to give the end user the ability to re-lock the bootloader in the new state.

    • metacalifragilistic says:

      aka Android 4.3, Ice Cream Headache

    • DooMMasteR says:

      you actually can do eactly that :)
      unlock (wipes the phone) 
      flash some custom rom 
      and then lock again… also make sure you have a recovery installed that checks for signatures in update packages…
      and selfsign all updates with your selfdeployed key
      at least on the GN that is no reaproblem

      • jimmoffet says:

        Don’t forget using a task killer to empty your discretionary ram on screen off. Otherwise, anything stored in ram (recent websites, etc…) are still accessible.

  4. agonist says:

    This reminds me of how much more interesting real hacking is to the lame stuff we see in movies like Skyfall.

  5. Larry Rubinow says:

    Only works if it’s running Ice Cream Sandwich.

  6. Ryan Kiefer says:

    This attack only appears to easily work against phones with a user-removable battery, as there isn’t any other easy way to quickly reset an Android phone if you can’t pop the battery out. So devices like the Nexus 4 are slightly more guarded. (Though a determined attacker could still partially dissemble the device, rendering this moot.)

  7. Ryan Singel says:

    This is the first good argument I’ve ever seen for manufacturers locking down the bootloader.

  8. eain says:

    @Ryan- True.  Which is frustrating for a number of OTHER security reasons.  Is it possible to unlock a bootloader, load a new ROM, and then RE-lock the bootloader?

  9. technogeekagain says:

    Given that “cold boot” has another meaning already, color me a bit skeptical about this scenario. OK, yes, maybe one can muck up the clocks enough by freezing the heck out of the thing to enlarge a timing window enough to exploit it, but I’d be more than slightly surprised.

  10. jhhl says:

    ICE WIlliam Gibson, NEUROMANCER

  11. Al Billings says:

    Of course this works in principle. This was demonstrated with laptops a couple of years ago and even covered here.

  12. ldobe says:

    scrambled telephones are a a nightmare for IT forensics and law enforcement

    Cry me a river.  They can track our phones just fine without decrypting them anyway.  That’s bad enough already.  I guess I’ll have to think about ways of making my phone self destruct now.

  13. unaboomer says:

    Desktop platforms have been known susceptible to this type of attack for years:
    If someone has that much access to your phone/system you’re gonna be in trouble anyway.  
    This is why you should always let Ramsay keep some of the circuit templates so Luther cant get them even if he catches you.

  14. Alexander Borsi says:

    And new feature in KLP: RAM heater. A 15w strip of nichrome wire kept running at all times.
    Battery life MIGHT be affected.

  15. SomeDude says:

    On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement

    Um, law enforcement can lick my balls, thank you very much.

  16. timquinn says:

    I wonder who funded this research?

  17. There HAS to be a test-jig you can get that powers up a board at just the right spots, so you can control things better.  Pull the battery,  ship it off to Langley or local digital forensics lab, fit it to jig, do the magic, email dump to client.

    Seems a more reliable method than guesstimating thermal properties and allowing the device to manage it’s own boot.

    • BillGlover says:

      I think in this case they are relying on the key being retained in memory from the last decryption. (The phone is on, but locked when they start). If they pull the battery for long enough for the memory to lose its contents, they lose the key.

    • jimmoffet says:

      Default disk encryption is to protect you from meddling by not particularly talented law-enforcement. 

      If the guys who want your stuff have access to a digital forensics lab run by the CIA, you will probably want to use something a little stronger.

  18. eldueno says:

    Its about time someone was able to do this.

  19. niktemadur says:

    Jeez, if these people would put half as much focus, ingenuity and effort into achieving World Peace than they do into these challenges, we’d be halfway there by now.

    • Gulliver says:

      Right, because getting seven billion violent apes to live in harmony and cracking a cellphone’s encryption are clearly problems in the same league. And the erosion or civil rights has nothing to do with human rights abuses antithetical to World Peace (TM). I guess all those Middle-Eastern peoples who whine about Western corporations obsequiously betraying them to the murderous regimes they’re trying to overthrow should really just shut the fuck up, because niktemadur wants privacy activists to focus on more important things!

      Come on, niktemadur, I know from watching your comments here that you know better than that.

      • niktemadur says:

        half as much and halfway there.
        I was going for a Pythonesque thing there, c’mon:
        “If you had half as much watching this show as we had making it, then we had twice as much fun as you did.”

      • niktemadur says:

        Plus the fact that I’m truly baffled at just how they come up with such incredibly abstract methods to do something like this.

        • Gulliver says:

          Well, you see, a physicist, a cryptographer and a Java developer walk into a bar and all say, “I’ll have a cold one.”

          The bartender balks, “You haven’t paid your tab from your last fetch-execute cycle, I’ll need to hack some collateral this time.”

          The physicist says to the cryptographer, “Give her your iPhone,” but the cryptographer replies, “And void my $100 service plan? You’re nuts!”

          So the physicist turns to the Java developer and says, “Give her your Android.”

          The developer asks, “Where’s your phone,” to which the physicist says, “I left it in a parallel joke.” So the developer sighs, “What the dev hell, I voided the warranty fifteen minutes after activating it anyway.” He encrypts it, hands it to the bartender and says, “Don’t lose it.”

          She replies, “I’ll put it somewhere safe.”

  20. DIIIIIIVE!! says:

    And twenty years ago this was already being done to car radios to reset their codes.

Leave a Reply