New phone security threat unveiled

Ice and a phone

Researchers have revealed a weakness in some Android mobile phones. The team at Erlangen's Friedrich-Alexander University froze the mobile phones for an hour (in this instance they used a Galaxy Nexus). They carefully removed and replaced the battery, which disabled the scrambling system that protects the data on the phone.

They were then able to get at a host of sensitive details, including contact lists and photographs.

The attack

They blogged about the attack on the university website, showing how they froze the phone to below minus ten degrees, then they removed the battery and put it back in a particular way, forcing it into what is known as 'fastboot' mode, which meant they could start it up using their own software rather than the Android operating system.

Apparently freezing it is important, because RAM contents fade away more slowly if RAM chips are cold.

This meant they could copy over data, which was supposed to have been scrambled. The data that was at risk was anything which had been copied over into the phone's memory - which tends to be things like contacts, browsing history and sent messages or photographs.

The risk

They said it would be useful for users who were unable to get back into their phone - who were locked out with the data scrambled by the security system. However, they recognised that it opened up a vulnerability which could be exploited by criminals for their own uses.

The good news is that according to Paul Ducklin from the Sophos Naked Security blog, you can protect yourself. He said that if you have a locked phone, then when this attack is attempted, the memory will automatically be wiped. It doesn't mean you shouldn't unlock your phone if you want to install custom software, but when you've finished you need to lock it again.

He also pointed out an interesting turn of phrase from the researchers who said that they hadn't damaged any phones by freezing them, but couldn't guarantee that this would be true of every model. So even if your phone is stolen while it is unlocked, and the thieves turn out to have this cutting edge technology - putting it into the freezer could destroy it anyway.

So while any form of vulnerability needs to be taken seriously, at this stage the threat seems to be more theoretical than something we need to actively worry about.
Read Full Story