An Android phoneâ€™s passcode or pattern lock screen may be no match for a freezer, according to new research from scientists at Erlangen University in Germany released Thursday. After chilling a Galaxy Nexus in a freezer, the researchers were able to bypass security settings and read from the phoneâ€™s memory by using a “cold boot” attack.
Cold boot attacks, first demonstrated on PCs in 2008, rely on data remanence, wherein the RAM inside a computer retains some residual information after the computer is shut down for a short amount of time. If the computer is cold-bootedÂ (turned on and off quickly enough such that the shutdown isnâ€™t complete), attackers can reboot with an alternate operating system (via a USB drive, for instance) that instructs the computer to dump the remnants of information still stored in the memory.
As it turns out, phonesÂ are vulnerable to the same kind of attack, but they require a different approach. Smartphones also retain information in memory after shutdown, but only for a second or two. Itâ€™s also more difficult to shortchange the shutdown process in a phone because it power-cycles too slowly by default for a two-second memory access window to be useful. The researchers in Germany found that if they chilled the phone down to freezing temperatures, information will linger in the memory for five or six secondsâ€”long enough to pull data out with a computer.
from Ars Technica