Physical Security Is the Only Real Security for Your Phone
Panic!! Identity thieves are out to target you! Fraudsters are gathering the details of your life they’ll need to access your bank accounts! Malware apps are stealing your photos, which are being collected for the amusement of organized crime figures! No? OK, the situation is a whole lot less bleak than all that, but risks do exist, and we take certain measures to make sure that data on our smartphones – especially since such a big chunk of our lives are on there – stays safe. Is it enough, though? There have been a number of scares in the news lately that really seem to drive one point home: if you want to keep your smartphone safe, physical security is key.
A little over a month ago, I tried to convince you that lock screens were old news, and to follow my lead by disabling them. That… did not go over so well, and you were largely resistant to the idea. A good number of you insisted that you relied on your lock screens for security. I tried to downplay the level of security truly offered by such locks, insisting then as I am now that your phone simply isn’t safe unless in your possession or physically locked away, but you were still convinced that lock screens were serving a useful purpose.
Perhaps I wrote that piece a little prematurely, because in the weeks that followed, lock screen security compromises have been all over the news. The iPhone may have led the pack, but it was shortly joined by a number of Samsung Galaxy models, and more recently by Sony’s new flagship, the Xperia Z.
Now, the level of access you can gain by taking advantage of these exploits varies, but in the worst cases, an attacker can get full, unfettered access to your device. Doing so may take time and persistence, but demonstrations proved the viability of these attacks.
Those are only some of the phones where we’re aware of these exploits, by the way. Are there others for additional devices that haven’t been uncovered yet? Maybe more troubling, are there some that have been discovered, but those who are in the know are keeping quiet, hoping to use that knowledge for their own gain?
All of those lock screen failures served as a catalyst for me wanting to return to the issue of physical phone security, but that’s not all that’s been going on.
A team of researchers based out of Germany had been looking into the security offered by Android 4.0’s native disk encryption. Certainly, that’s a feature you might enable if you’ve got sensitive data on your phone and you want to feel like your info is safe. Of course, if you couldn’t tell already by the nature of this post, the system’s been pretty severely compromised.
While it won’t work on every encrypted Android, a handset that has its bootloader unlocked (as is the case with so many of us custom ROM enthusiasts) can have its encryption keys extracted via a few simple steps and a custom software tool. The trick to the whole thing is freezing the phone, or at least getting it cold enough to slow down the rate at which RAM contents degrade.
See, we think of RAM as being especially fragile, erasing itself when devices are reset of powered-down. That’s not quite true, and in some cases – like one where the temperature of the RAM chips has been sufficiently lowered – RAM can maintain its contents for extended periods of time, even when that data isn’t being actively refreshed.
For this attack, you leave a powered-on but locked Android in a freezer for an hour, quickly interrupt its battery power, and start the phone in fastboot mode. Then you’re able to load the team’s FROST software, which will search the contents of RAM, preserved from the previous session due to the freezing, for the phone’s encryption key. Once that’s recovered, it’s game over for your previously private data.
So, what’s to be done? Store your files in the cloud? Maybe, but that’s really just passing the security buck, assuming that whomever you’re trusting with your data doesn’t get hacked themselves – and certainly, holding a lot more of it in one place, they’re going to be much bigger targets for such attacks than you, out on your lonesome.
But should you just do nothing at all? Well, what you’ve got to remember is that lock screens and data encryption, even if they’re not foolproof, present barriers to prying eyes. If they’re interested in the path of least resistance, they’ll look elsewhere. If slowing them down gives you enough time to flag down some authorities and get your phone recovered, so much the better. By all means then, keep using them if they help you feel more secure.
I just want to remind you all that these systems aren’t perfect, and even when these holes get closed, new ones will be found. Put protection of your data in your own hands – literally. Keep your phone on you, where you can keep it safe yourself. When that’s not possible, store it securely. Even that’s not a perfect solution, but the threats posed by malware or rogue WiFi hotspots are topics to be discussed on another occasion. In the end, physical control over your phone is the easiest, most important thing you can do to keep your info private.