Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rowhammer Attack Can Now Root Android Devices (softpedia.com)

Posted by BeauHD on from the all-inclusion-attacks dept.

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

50 of 100 comments (clear)

  1. I don't understand by TheRaven64 · · Score: 5, Interesting

    One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?

    --
    I am TheRaven on Soylent News
    1. Re:I don't understand by 110010001000 · · Score: 1

      They made an app that did it.

    2. Re:I don't understand by Gravis+Zero · · Score: 4, Informative

      One of the simplest existing known attacks involves [...]. What made this attack now work on mobile devices?

      Surprise, they didn't do it that way!

      It was previously "speculated that Rowhammer on ARM could be impossible, one of the main reasons being that the ARM memory controller might be too slow to trigger the Rowhammer bug" which is true in most cases like the one you listed. However, one thing they figured out is that they could use "DMA buffers bypass the CPU and its caches" using Android's DMA Buffer Management API.

      They did several other things like figure out how to determine the size of the DRAM rows (not uniform on ARM) and create a deterministic way force security-sensitive data int vulnerable rows in a deterministic fashion.

      You can read the paper that describes it here: https://vvdveen.com/publications/drammer.pdf

      TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:I don't understand by frovingslosh · · Score: 2

      What I don't understand is if this attack is able to root so many different Android systems, why is it still so hard for the device's owner who wants to root his device to actually root it?

      --
      I'm an American. I love this country and the freedoms that we used to have.
    4. Re:I don't understand by blivit42 · · Score: 1

      TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

      I thought I'd add a potentially interesting anecdote to this. The app is not available on the US Google Play Store, as the github readme said may be the case. I downloaded the app directly to my Motorola Droid 2 Turbo (last OS update July 1st, 2016) and installed it. I was surprised to see a warning message pop up "Installation blocked. This app contains code that attempts to bypass Android's security protections." Something in my phone is detecting the potentially malicious code, and I don't think it is the Play Store, since I didn't use the Play Store, and installed the app directly from my download directory.

      Once installed, it looked like it tried to download 100 files (progress meter showed 0 out of 100). This hung, since I have the NetGuard firewall installed, set to block all wifi / mobile data access by default.

      I canceled out of the download and tried to run the hammertime attack, but got an extremely long error message that took up the whole screen.

      So, for at least this proof of concept attack app, it failed on several levels:

      1) Something on my phone detected it as potentially malicious and asked me if I really wanted to install it (I have not installed any virus/malware scanners that I am aware of, so I don't know what this was).
      2) It failed to download some files, potentially necessary for the attack, due to my firewall
      3) It failed to work, maybe due to missing the files it couldn't download.

      I'm sure that a more robust attack app could be developed, but, at least as far as the proof of concept app is concerned, I'm not overly worried -- for the moment.

    5. Re:I don't understand by Altrag · · Score: 1

      Its not that hard. A quick Google will find you dozens of pages and Youtube videos showing you how to do it.

      The hard part is trusting any of those rooting programs to not be malware themselves. Any time you're doing something that's against the rules (even if not actually illegal,) you'll find a boatload of shady people offering questionable solutions since most "legitimate" sources tend to avoid breaking the rules.

  2. Bug of feature? by sciengin · · Score: 1, Interesting

    Of course this is a terrible bug for most.
    On the other hand it would be awesome if one could incorporate this attack into an app that roots the device without needing to connect it to a PC first.

    1. Re:Bug of feature? by peragrin · · Score: 5, Funny

      don't worry they are working on a java script version.

      That way they can root your device on the web and load the advertising directly to all of your contacts.

      oh wait that's called facebook.

      --
      i thought once I was found, but it was only a dream.
    2. Re:Bug of feature? by TheRaven64 · · Score: 5, Informative

      Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.

      --
      I am TheRaven on Soylent News
    3. Re:Bug of feature? by ausekilis · · Score: 1

      What's new is this is an exploit uses a hardware vulnerability, not a software vulnerability. While Ars is lacking specific details, the article reads as though it's a vulnerability in a common type of memory chip (or controller thereof) and doesn't depend on a specific version of Android or Dalvik. That sounds different to me, but I'm no expert.

    4. Re:Bug of feature? by TheRaven64 · · Score: 2

      Uh, no. All RowHammer attacks use a hardware vulnerability. That's the definition. The JavaScript attack allows you to exploit this vulnerability from a bug-free JavaScript VM, with the only requirement being that it implements TypedArray objects as contiguous (virtual) memory arrays (which is the obvious way of implementing them, and it would be difficult to implement them usefully any other way if you want to use them with WebGL). The only variation is which bits you choose to try to flip with the RowHammer attack. This is the equivalent of running a different program with a known attack, not a new attack.

      --
      I am TheRaven on Soylent News
    5. Re:Bug of feature? by ausekilis · · Score: 1

      I learned something today. Time to ask the boss if I can go home ;-).

    6. Re:Bug of feature? by Gravis+Zero · · Score: 1

      Rowhammer has been usable from JavaScript for ages. [...] I don't know why this attack wouldn't work on mobile devices

      Your javascript attack works on x86 systems but not on ARM systems because of how and how fast the memory is accessed. ARM memory controllers just aren't fast enough to trigger the DRAM bug.

      I don't really see what's new here.

      you should consider reading the research paper before spouting ignorant and misleading comments. :)

      --
      Anons need not reply. Questions end with a question mark.
    7. Re:Bug of feature? by johanw · · Score: 1

      Try Kingroot for that. Then, run a script to replace Kingroot with SuperSU, For most phones this is the easiest root method.

  3. Bugger! by warewolfsmith · · Score: 1

    You Android device is ROOTED :-(

    1. Re:Bugger! by Anonymous Coward · · Score: 1

      You think you're being all clever here, but the risk isn't that your phone ends up rooted and you get to enjoy the spoils. The risk is that malicious software roots your phone without your knowledge and they enjoy the spoils.

    2. Re:Bugger! by TheCarp · · Score: 2

      While you are correct, I must confess.... MY first reaction to this was "Oh good, you mean I can root my phone that I bought with my money now"

      As much as I hate the implications of this.... and I do.... I also hate that I own a device that is functionally crippled and unable to run many of the apps I would like to run.

      Funny ecosystem we have eh?

      --
      "I opened my eyes, and everything went dark again"
    3. Re:Bugger! by johanw · · Score: 1

      My phone is already rooted, is another process installs a new su binary SuperSU will notice and complain about it.

    4. Re:Bugger! by Yo+Grark · · Score: 1

      Amen. Got a Cat S50 I can't root for the life of me. I need root to remotely help my grandfather who accidentally presses buttons all the time. I got him a great water proof drop proof old age proof phone, but the gas and mileage of physically driving 100 miles to press a stupid button is getting on my nerves!

      Yo Grark

      --
      Canadian Bred with American Buttering
  4. Oh dear, more military terminology by Viol8 · · Score: 2, Insightful

    A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. So they don't say "enabled" by javascript, no no no, its "weaponised" with "attack vectors" instead of flaws or holes. Its just so lame and wannabe.

    1. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 1

      Sounds more like marketing speak than anything someone in a basement would find compelling.

    2. Re:Oh dear, more military terminology by 110010001000 · · Score: 2

      Also the term "researchers" is dubious. What a waste of time this junk is.

    3. Re:Oh dear, more military terminology by Maritz · · Score: 1

      He's right though. The languge they use to try to make this stuff sound cool is actually just really cringeworthy.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    4. Re: Oh dear, more military terminology by DNS-and-BIND · · Score: 2

      We don't say "'Nam" any more, Grandpa. Moreover it's the marketroids that come up with these names, not the techies. And seriously, nerd-shaming, on Slashdot? Turn in your geek card, it's revoked by unanimous popular consent.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    5. Re:Oh dear, more military terminology by 110010001000 · · Score: 1

      Waaaah, you mad bro? Sorry I got you so upset.

    6. Re:Oh dear, more military terminology by Viol8 · · Score: 1

      Because its nothing like real war "dude".

  5. Phew, my Galaxy Note 7 is safe! by Anonymous Coward · · Score: 3, Funny

    Lucky I upgra

    1. Re:Phew, my Galaxy Note 7 is safe! by mlw4428 · · Score: 2

      He's just joking. Not every Galaxy Note 7 is having these issues, in fact I just plugged mine in and as you can see it hasn't exp

  6. Does this affect Kindle (FireOS) as well? by Danathar · · Score: 1

    Does anybody know if this affects Amazon Kindle devices since they are an Android Fork?

  7. hardware fix by sxpert · · Score: 2

    time to implement ECC everywhere, period !
    it's not like ram is expensive anymore

    1. Re:hardware fix by fintux · · Score: 1

      ECC requires more power (more data to store + data integrity checks to be done), and might also have a bit bigger footprint. I don't know how much more exactly, nor how big portion of the power usage comes from RAM, but in any case, cost isn't the only drawback.

    2. Re:hardware fix by sxpert · · Score: 1

      good news !
      hope these are not locked to winblows 10

    3. Re:hardware fix by sxpert · · Score: 1

      the core to do ECC in the memory controller bits of the processor is really small... and doesn't consume much anymore compared to the billions of transistors required for ever bigger cache and logic in those processors... the issue is rather moot

  8. Awesome by steveo777 · · Score: 1

    Can't wait until it's up on XDA Developers for the S5 from AT&T, which so far hasn't been able to be rooted, and is the phone my work gave me. Sure it's a free phone and it's a work phone... But I wanna put a different ROM on it, dammit.

    --
    This sig isn't original enough, it's time to come up with something witty...
    1. Re:Awesome by PincushionMan · · Score: 1

      Sorry, those bootloaders are cryptographically signed with keys in either Verizon's or AT&T's possession. These keys preclude the installation of any custom ROMs. Short of an AT&T dev being careless with the crypto-keys, it's not going to happen. In my experience, Samsung phones are pretty beefy. They have to be to run the TouchWiz OS layer on top of Android OS.

      If you have an older Samsung phone - for instance the Galaxy S3 - and you have the ability to install a Custom ROM (Cyanogen, Slim, Oxygen), they will work fairly well. The S3 can even run Marshmallow (6.0), where the Note 3 is stuck on Lollipop (5.0.1). The Note3 didn't even get even 5.1.1! The S3's only problem is the stock camera occasionally crashes (and requires reboot to fix). There's some 3rd party cameras out there that work better. Overall, the S3 with Cyanogen is much, much snappier than with TouchWiz.

  9. Intel SoC by Frederic54 · · Score: 1

    No problem with my Asus Zenfone2 with an Intel chip! (I hope)

    --
    "Science will win because it works." - Stephen Hawking
  10. Well... by johnsmithperson123 · · Score: 1

    This is just another reason why we need to migrate away from DRAM. It's simply at a fundamental level too easy to exploit this way. We need to move to non-volitile memory, which is more power efficient anyway. Hopefully within a few more years the tech will be there.... I'm most excited about the carbon nanotubes, myself.

  11. Re:An app by RavenLrD20k · · Score: 1

    They provided the direct link to the apk file. Scroll down in the README.md displayed on the github link to the heading "Android GUI app" found here. The first line of the paragraph has the phrase "Android app" as a link to the drammer.apk file. You can use this to sideload onto your device and perform the check. They also tried to provide a link to the Google Play page for the app in that section of the doc, however it looks like Google disabled it as against the TOS (link now goes to a 404 page).

    All that said, this is probably one of those apps you'll want to first read the source and see for yourself what it's doing, then install the Android NDK on a PC to compile it; from there sideload the apk you built. This way you can at least be a little more certain of the build to make sure that it only does exactly what the code says it should...instead of trusting someone else's build to not have any added features

  12. Shouldn't they have called it DRAMP? by tlambert · · Score: 1

    Shouldn't they have called it DRAMP?

  13. I can't even root this phone by phishybongwaters · · Score: 1

    So I have to jump through hoops to try to root my S6 and end up giving up and restoring a backup... but this thing can drive by root it? wtf

  14. Re:This is why we need rust by fintux · · Score: 1

    I hope you're just being sarcastic, but in case you're not, ...

    - This is a hardware issue, not a programming language problem
    - Rust helps to prevent programming bugs with memory, like dangling/null pointers, buffer overflows etc. But it has control over the memory layout, which is a crucial requirement in implementing a row hammer attack, so a row hammer attack with Rust would likely be very suitable for implementing such an attack
    - Even if there was a programming language that prevented this by doing some memory layout randomization or similar, it would also lose performance due to non-contiguous memory (prefetching will not work and there will be cache misses), and thus it also would kill the battery life
    - Even if ignoring the points above, it would require a massive amount of work to move away from JavaScript on web pages
    - We would also require the OS, including the kernel, written in such language (which probably would not be possible, since there would be an abstraction of memory, which doesn't play nice with many device drivers etc.)

  15. Re:epic fail by Daetrin · · Score: 1

    If the AI's are created in any kind of evolutionary manner, then almost certainly yes. It's happened with hardware design before.

    --
    This Space Intentionally Left Blank
  16. Re:Researchers? by wildstoo · · Score: 1

    They are crackers not researchers damn!

    What has their skin colour got to do with it?

    Also, the correct term is "economically-disadvantaged caucasians".

  17. Re:Researchers? by Gravis+Zero · · Score: 3, Funny

    Can we stop calling these fucktards researchers already? They are crackers not researchers damn!

    Yeah, I mean, researchers explain their methodology and publish papers about it! These are just the dumbest criminal hackers that put their names on some paper they published! Can't wait until they go to jail for their criminal deeds which they are obviously waiting do in the future! -_-

    --
    Anons need not reply. Questions end with a question mark.
  18. From TFA by Jiro · · Score: 1

    Researchers said they don't plan to release the exploit code that weaponizes the Rowhammer attack in order to root Android devices.

    Gee, thanks.

    There are lots of people who are stuck on unrootable devices and could really use this.

  19. Incentive for RAM-makers by davidwr · · Score: 1

    but RAM makers have no incentive to fix it

    Actually, they do. They can market lower-density, more-expensive-to-manufacture RAM which has spacing or other "rowhammer-protecting design elements" between rows for use in "high- but-not-quite-military-grade-security" applications.

    For example, if off-the-shelf equipment would have been approved for a high-security application but for the vulnerability to rowhammer and similar attacks then the product vendor can substitute the more expensive, lower-density, more-secure RAM and sell his product to the customer rather than lose the sale entirely.

    As for military-grade applications, I'm not going to pretend to know what their requirements are or how to address them.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  20. Re:This is why we need rust by OrangeTide · · Score: 1

    Theoretically you could relocate memory periodically in a system like Rust (or Java). This could be done so that the high level doesn't realize it has happened. It might have a fairly heavy performance cost, depending on how frequently the relocations are done and how you detect when you should do them. (scoreboard vs static analysis)

    I could write a very simple language/environment where rowhammer is essentially impossible. But it would be very slow. Obvious example is that every address is looked up on a hash table to find the physical address. The application cannot see this hidden hash table, it would allow a byte granularity to relocation instead of a page granularity. It would was a tremendous amount of memory and be very slow. (basically memory layout randomization)

    JavaScript itself doesn't necessarily need to be replaced. Replacing it with a similar implementation of Rust doesn't make rowhammer go away. Working around the issue is possible in JS, Rust, Java, Haskell, and a few others. Not practical to work-around in C, but theoretically possible.

    If you use SRAM instead of DRAM, there is no performance penalty for layout randomization. Of course, SRAM doesn't have the issue with rowhammer either.

    --
    “Common sense is not so common.” — Voltaire
  21. Re:The test app by slashdice · · Score: 1

    LOL, "I asked some crack heads to house sit for me while I'm out of town for a few weeks. I figure if there was a problem they would stop smoking crack and tell me."

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  22. Re:ECC only adds 8 bits.. by Agripa · · Score: 1

    Redesigning the memory controller or DRAM is enough to solve the problem; force out of order refreshes on rows adjacent to continuously accessed rows. This is now called Target Row Refresh.

  23. Intel patented their fix by gonz · · Score: 1

    Apparently Intel patented their fix on Oct 31, 2013... the exact same day that Nexus 5 shipped in the US:

    https://www.google.com/patents...

    Glad to see the industry came together to protect consumers!