forensic recovery of scrambled telefons
DESCRIPTION
Performing Cold Boot Attack against Android and iOS' Full Disk Encryption.TRANSCRIPT
Chair for Network Architectures and ServicesFaculty of Computer ScienceTechnical University Munich
Forensic Recovery of Scrambled Telephones
Dai Yang
Proseminar: Network Hacking and Defence WS2013
Advisor: Tsvetko Tsvetkov
December 13th, 2013
FROST 2Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Contents
Introduction: Meaning of Smartphones
Background
Android
Full Disk Encryption
Cold Boot Attack
Forensic Recovery of Scrambled Telephones
Vulnerability of iOS and Countermeasure
Conclusion
References
FROST 3Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Introduction
Almost every second person in Germany has a smartphone Smartphones are widely used, both for private and business use Lack of awareness concerning personal data
Sources: 2013 ComScore MobiLens. Data evaluated with Statista. Numbers are in Millions.
FROST 4Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
backgROUnd
FROST 5Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Android
Google initialized mobile OS as open standard
Launched in 2008 with T-Mobile G1
Linux kernel based architecture Linux Kernel (Drivers, Power Manager, etc.) Libraries (SQLite, WebKit, SSL, OpenGL, etc.) Application Framework (Activity Manager, Window Manager, etc.) Native applications (Home, Contacts, etc.) Android Runtime (Core Libraries and DVM, since “KitKat”: ART)
Modern Security Features since 4.0: FDE via dm-crypt since 4.3: Security Enhanced Linux (SEL) Pattern-Lock or PIN separate user data partition less secure on “rooted” devices
Source: http://www.gsmarena.com/t_mobile_g1-pictures-2533.php, last visited on 2013/11/17 at 16:18
FROST 6Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Full Disk Encryption
Techniques: dm-crypt (Linux), FileVault (Apple), BitLocker (MS)
AES-Algorithm
Hardware based: eg. crypto cellphone
Pros:
Transparency
Safe swap space and
temporary files
User independent
Immediate data destruction
Cons:
Vulnerability to CBA
Side Channel attack
Cryptanalysis
Single key
Unsafe boot region
FROST 7Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Software based Full Disk Encryption
FROST 8Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Cold Boot Attack
aka. platform reset attack, cold ghosting attack, iceman attack
Side Channel Attack
Physical access
Target: encryption keys
How to:
Press reset (Cold boot)
Boot with special sector
Dump the memory
Alternative:
JTAG Port
Insert to other Computer
Sources: Based on [6]. FROST, FAU-Erlangen Nueremberg, Oct 2012
time / bit errors / temperature
FROST 9Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
FroST
FROST 10Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Forensic Recovery of Scrambled Telephones
FROST 11Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Functionality of FROST
In general
Check the encryption state
Key recovery
RAM dump via USB
Crack 4-digit PIN
If boot loader is unlocked / developer mode enabled, in additional
Decrypt and mount /data
Sources: FROST user interface. http://www1.informatik.uni-erlangen.de/frost, last visit: 2013/11/17 at 21:38
FROST 12Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Results from FROST
Full data in the RAM, including New and old personal photos (Dropbox)
Recently visited websites
E-mails
Entire WhatsApp chat history
Personal text files
Contacts
Calendar entries
WiFi credentials in plain text
Other personal plain text files
Other plain text credentials
GPS coordinates
List of recent phone calls
etc.
very sensitive
information
FROST 13Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Evaluation
FROST 14Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Vulnerability of iOS and Countermeasures
iOS (almost) not vulnerable to cold boot attack
wipe out key from RAM
AES-Key = UUID + User Passcode
High iterations time
GUI-Protection, Wipe Out
Since iOS7 + iPhone 5S: Key/Fingerprint for better security
Countermeasures Cache/Register-Based
Soldering the memory
Key Wipe
Memory Wipe
2-Way authentication
Full memory encryption
FROST 15Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Conclusion
FROST 16Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
Questions
FROST 17Android -> FDE -> CBA | FROST | Countermeasures | Conclusion
References
[1] “Global market share held by tablet operating systems in 2013”, survey by IDC, Source from Statista, March 2013
[2] “Android technical specs”, official description by Open Headset alliance. Source: http://source.android.com/devices/tech/, last visit: 2013/11/17 at 16:33
[3] “Linux kernel device-mapper crypto target”, DMCrypt. Source: https://code.google.com/p/cryptsetup/wiki/DMCrypt, last visit: 2013/11/17 at 17:47
[4] “An in-depth analysis of the cold boot attack”, R.Carbone, C. Bean, M. Salois, Ministry of National Defence, Jan. 2011
[5] “Let We Remember: Cold Boot Attacks on Encryptions Keys”, J.A. Halderman, S.D. Schoen, N. Heininger, W. Clarkcson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, E.W. Felten. In Proceedings of the 17th USENIX Security Symposium, Princetiong University, USENIX Assosiation, pp. 45-60
[6] “Forensic Recovery of Scrambled Telephones”, T. Mueller, M. Spreizenbarth, F.C. Freiling, FAU Erlangen Nuremburg, Oct. 2012
[7] “iOS Security”, Apple Inc., Whitepaper. Source: http://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf, last visit: 2013/11/20 at 11:56
Chair for Network Architectures and ServicesFaculty of Computer ScienceTechnical University Munich
Forensic Recovery of Scrambled Telephones
Dai Yang
Proseminar: Network Hacking and Defence WS2013
Instructor: Tsvetko Tsvetkov
December 13th, 2013