Access files on locked, encrypted Android phones by putting them in a freezer for an hour

This is alarming, if true: according to a group of German security researchers at the University of Erlangen, if you put a locked, encrypted Android phone in the freezer for an hour and then quickly reboot it and plug it into a laptop, the memory will retain enough charge to stay decrypted, and can boot up into a custom OS that can recover the keys and boot the phone up with all the files available in the clear. The attack is called FROST: "Forensic Recovery Of Scrambled Telephones," and it requires a phone with an unlocked bootloader to work.

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.

We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung. To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking. However, we show that cold boot attacks are more generic and allow to retrieve sensitive information, such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked.

FROST: Forensic Recovery Of Scrambled Telephones


  1. Don’t most CPUs have a thermometer gauge to prevent overheating? a simple workaround would be to have the RAM overwrite keys and vital data sets if the CPU gets too cold.

    Edit: Now that I think about it, that’s a weak stopgap solution at best, an attacker could just focus the cold with a can of compressed air on just the RAM.

    The real solution would be to give the end user the ability to re-lock the bootloader in the new state.

    1. you actually can do eactly that :)
      unlock (wipes the phone) 
      flash some custom rom 
      and then lock again… also make sure you have a recovery installed that checks for signatures in update packages…
      and selfsign all updates with your selfdeployed key
      at least on the GN that is no reaproblem

      1. Don’t forget using a task killer to empty your discretionary ram on screen off. Otherwise, anything stored in ram (recent websites, etc…) are still accessible.

  2. This attack only appears to easily work against phones with a user-removable battery, as there isn’t any other easy way to quickly reset an Android phone if you can’t pop the battery out. So devices like the Nexus 4 are slightly more guarded. (Though a determined attacker could still partially dissemble the device, rendering this moot.)

      1.  Or getting a wifi palmtop, and getting a phone, and not trying to shove ten pounds into a five-pound bag.

  3. @Ryan- True.  Which is frustrating for a number of OTHER security reasons.  Is it possible to unlock a bootloader, load a new ROM, and then RE-lock the bootloader?

  4. Given that “cold boot” has another meaning already, color me a bit skeptical about this scenario. OK, yes, maybe one can muck up the clocks enough by freezing the heck out of the thing to enlarge a timing window enough to exploit it, but I’d be more than slightly surprised.

  5. scrambled telephones are a a nightmare for IT forensics and law enforcement

    Cry me a river.  They can track our phones just fine without decrypting them anyway.  That’s bad enough already.  I guess I’ll have to think about ways of making my phone self destruct now.

  6. Desktop platforms have been known susceptible to this type of attack for years:
    If someone has that much access to your phone/system you’re gonna be in trouble anyway.  
    This is why you should always let Ramsay keep some of the circuit templates so Luther cant get them even if he catches you.

  7. And new feature in KLP: RAM heater. A 15w strip of nichrome wire kept running at all times.
    Battery life MIGHT be affected.

  8. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement

    Um, law enforcement can lick my balls, thank you very much.

  9. There HAS to be a test-jig you can get that powers up a board at just the right spots, so you can control things better.  Pull the battery,  ship it off to Langley or local digital forensics lab, fit it to jig, do the magic, email dump to client.

    Seems a more reliable method than guesstimating thermal properties and allowing the device to manage it’s own boot.

    1. I think in this case they are relying on the key being retained in memory from the last decryption. (The phone is on, but locked when they start). If they pull the battery for long enough for the memory to lose its contents, they lose the key.

    2. Default disk encryption is to protect you from meddling by not particularly talented law-enforcement. 

      If the guys who want your stuff have access to a digital forensics lab run by the CIA, you will probably want to use something a little stronger.

  10. Jeez, if these people would put half as much focus, ingenuity and effort into achieving World Peace than they do into these challenges, we’d be halfway there by now.

    1. Right, because getting seven billion violent apes to live in harmony and cracking a cellphone’s encryption are clearly problems in the same league. And the erosion or civil rights has nothing to do with human rights abuses antithetical to World Peace (TM). I guess all those Middle-Eastern peoples who whine about Western corporations obsequiously betraying them to the murderous regimes they’re trying to overthrow should really just shut the fuck up, because niktemadur wants privacy activists to focus on more important things!

      Come on, niktemadur, I know from watching your comments here that you know better than that.

      1. half as much and halfway there.
        I was going for a Pythonesque thing there, c’mon:
        “If you had half as much watching this show as we had making it, then we had twice as much fun as you did.”

      2. Plus the fact that I’m truly baffled at just how they come up with such incredibly abstract methods to do something like this.

        1. Well, you see, a physicist, a cryptographer and a Java developer walk into a bar and all say, “I’ll have a cold one.”

          The bartender balks, “You haven’t paid your tab from your last fetch-execute cycle, I’ll need to hack some collateral this time.”

          The physicist says to the cryptographer, “Give her your iPhone,” but the cryptographer replies, “And void my $100 service plan? You’re nuts!”

          So the physicist turns to the Java developer and says, “Give her your Android.”

          The developer asks, “Where’s your phone,” to which the physicist says, “I left it in a parallel joke.” So the developer sighs, “What the dev hell, I voided the warranty fifteen minutes after activating it anyway.” He encrypts it, hands it to the bartender and says, “Don’t lose it.”

          She replies, “I’ll put it somewhere safe.”

Comments are closed.