Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rowhammer Attack Can Now Root Android Devices (softpedia.com)

Posted by BeauHD on from the all-inclusion-attacks dept.

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

6 of 100 comments (clear)

  1. I don't understand by TheRaven64 · · Score: 5, Interesting

    One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?

    --
    I am TheRaven on Soylent News
    1. Re:I don't understand by Gravis+Zero · · Score: 4, Informative

      One of the simplest existing known attacks involves [...]. What made this attack now work on mobile devices?

      Surprise, they didn't do it that way!

      It was previously "speculated that Rowhammer on ARM could be impossible, one of the main reasons being that the ARM memory controller might be too slow to trigger the Rowhammer bug" which is true in most cases like the one you listed. However, one thing they figured out is that they could use "DMA buffers bypass the CPU and its caches" using Android's DMA Buffer Management API.

      They did several other things like figure out how to determine the size of the DRAM rows (not uniform on ARM) and create a deterministic way force security-sensitive data int vulnerable rows in a deterministic fashion.

      You can read the paper that describes it here: https://vvdveen.com/publications/drammer.pdf

      TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

      --
      Anons need not reply. Questions end with a question mark.
  2. Phew, my Galaxy Note 7 is safe! by Anonymous Coward · · Score: 3, Funny

    Lucky I upgra

  3. Re:Bug of feature? by peragrin · · Score: 5, Funny

    don't worry they are working on a java script version.

    That way they can root your device on the web and load the advertising directly to all of your contacts.

    oh wait that's called facebook.

    --
    i thought once I was found, but it was only a dream.
  4. Re:Bug of feature? by TheRaven64 · · Score: 5, Informative

    Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.

    --
    I am TheRaven on Soylent News
  5. Re:Researchers? by Gravis+Zero · · Score: 3, Funny

    Can we stop calling these fucktards researchers already? They are crackers not researchers damn!

    Yeah, I mean, researchers explain their methodology and publish papers about it! These are just the dumbest criminal hackers that put their names on some paper they published! Can't wait until they go to jail for their criminal deeds which they are obviously waiting do in the future! -_-

    --
    Anons need not reply. Questions end with a question mark.