Slashdot Mirror

← Back to Stories (view on slashdot.org)

Every Android Device Launched Since 2012 Impacted By RAMpage Vulnerability (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Almost all Android devices released since 2012 are vulnerable to RAMpage bug, an international team of academics has revealed today. From a report: The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack. Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on nearby memory. In the following years, researchers discovered that Rowhammer-like attacks affected personal computers, virtual machines, and Android devices. Through further researcher, they also found they could execute Rowhammer attacks via JavaScript code, GPU cards, and network packets.

14 of 83 comments (clear)

  1. Is iOS affected too... by SuperKendall · · Score: 4, Interesting

    The article said that Apple iOS devices may be vulnerable to, but since this is a kind of Rowhammer attack, which Apple mitigated in 2015, I wonder if it is?

    It would be nice if the article (and researchers) were more clear about other platforms being vulnerable...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  2. Re:That seems like a very easy solution by AmiMoJo · · Score: 2

    The actual paper speculates that all devices since 2012 "may" be vulnerable. There is an app you can download to test, but it's not clear what it actually does.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Re:That seems like a very easy solution by SuperKendall · · Score: 4, Insightful

    At some point one of these vulnerability checking apps will be found to be it's own kind of trojan, instead uploading contacts or installing spyware...

    After all, seems reasonable to grant a vulnerability checking app full permissions right?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Re:That seems like a very easy solution by olsmeister · · Score: 2

    I'm guessing people that write compilers would say "meh this isn't my issue". And they wouldn't be wrong - it would require them to spend time to do it well, legitimate users wouldn't care about the feature, and it would probably slow everything down.. Trying to solve security issues by making a compiler/malware scanning FrankenProgram is just a bad idea. Anyway, whoever is writing the code probably would just use an older compiler.

  5. Rowhammer is garbage by ComputerGeek01 · · Score: 3, Insightful

    Unless your objective is to crash the device, rowhammer is a useless technique and even then there are far easier ways to accomplish this. Until you can tell me EXACTLY what cells you are modifying and in what way, you will NEVER be able to utilize this vulnerability interesting observation for any kind of useful exploit. Even then, you would have to know WHAT you are modifying and even the most basic memory page protection prevents that. #SLOWNEWSDAY

    1. Re:Rowhammer is garbage by xanthos · · Score: 2

      Its silly season. With BlackHat and Defcon on the horizon you can expect to see lots of similar "security researcher" announcements over the next few weeks.

      --
      Average Intelligence is a Scary Thing
    2. Re:Rowhammer is garbage by bluefoxlucid · · Score: 4, Informative

      Pretty much, except for the last bit: memory page protection is administrative, not technical. The CPU says, "You can't write to address 0xC0004000" and you don't. If you write to 0xB0004000 and create electrical fields messing with 0xC0004000, that's physical and bypasses any code that says no you can't.

      It's like approaching a hotel key card lock with dynamite.

      --
      Support my political activism on Patreon.
    3. Re:Rowhammer is garbage by Anonymous Coward · · Score: 4, Informative

      Unless your objective is to crash the device, rowhammer is a useless technique and even then there are far easier ways to accomplish this. Until you can tell me EXACTLY what cells you are modifying and in what way, you will NEVER be able to utilize this vulnerability interesting observation for any kind of useful exploit. Even then, you would have to know WHAT you are modifying and even the most basic memory page protection prevents that. #SLOWNEWSDAY

      Exploits have been known since 2015. Basically you fill memory with Page Table Entries, then you corrupt them until a bit flips which gives you access to write your on PTE. From that point, you own the machine. I have not heard of any fixes for this.

    4. Re:Rowhammer is garbage by Anubis+IV · · Score: 2

      Unless you can show an exploit that involves a browser visiting a malicious URL in a real-world scenario, I think this is a lot of smoke.

      A number of proofs of concept were published that demonstrated how the exploits could be abused using Javascript. For instance, here's a simple example that could be used to provide a script with access to the contents of your memory if your browser/system/chip hasn't been updated to prevent such an attack. This may not impact everyday users much, but if you're on a known, shared system (e.g. AWS, Azure, WordPress, Squarespace, etc.) it becomes far easier to abuse, since you could do something like, say, initiate a request that would load a private key into memory, use a sidechannel attack of these sorts to log the memory out to file, and then suddenly have the keys to the kingdom, which very much so would affect everyday users at that point.

      Rowhammer is less directly useful, but it can be used to get a foot in the door. All you need is for the right bits in a page table to flip in just the right way one time to be able to gain complete control of an application with root access. Sure, it's more likely to crash the device than grant you control, but Android users represent a large enough collective target that there'd be plenty of successful exploits accomplished across the user base, and for the remainder of the users it would constitute a major annoyance and frustration as their memory routinely became corrupted, resulting in reboots.

  6. That's how I'd slip it in by SuperKendall · · Score: 5, Insightful

    Unless it's posted open source and GPL.

    If I were going to post some Malware, I'd make a clean open source/GPL version with handy pre-compiled binaries that had the actual exploits included... we all know very few people would actually go to the trouble to download and compile so you'd get quite a good uptake from people who assumed because the source was open it was safe.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  7. Re:So is this just due to the design of modern mem by amorsen · · Score: 4, Insightful

    Would using ECC memory avoid all this over hyped crap?

    Yes ECC memory and ECC cache mitigates Rowhammer. In theory not completely, you could cause an undetected triple-bit error if you ran the attack long enough. However, in that time you are vastly more likely to hit a detectable-but-uncorrectable two-bit error that halts the machine.

    (A quick Google implied that modern systems are still stuck with single-correction double-detection. I am not sure that is correct.)

    --
    Finally! A year of moderation! Ready for 2019?
  8. Re:That seems like a very easy solution by Aighearach · · Score: 3, Funny

    There is an app you can download to test, but it's not clear what it actually does.

    If you install the app, you found the larger security hole. :)

  9. Code would not have any issues, just binaries by SuperKendall · · Score: 2

    The apps I do look at the source, they're the ones that ask for permissions but I still want to use the app. So I'll review all the parts of the code that use the permissions

    I think you misunderstand - the code published would not contain anything harmful at all. It would be totally clean. If you actually downloaded, compiled and ran that version you'd be fine... and it would work.

    It would just be the pre-compiled binaries people could handily download without compiling, those would have the malicious code.

    The beauty of the plan is the people who actually downloaded and compiled the apps would vouch for the authenticity the app even as the versions most people used had malware.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Code would not have any issues, just binaries by Aighearach · · Score: 2

      You're right, I did misunderstand.

      Even when side-loading open source apps, I think most of the users get it from an "alternate store" type of thing, like F-Droid. So if you tried to substitute the wrong compiled binary, the hashes wouldn't match and people would know right away.

      You'd not only have to get people to install it directly, you'd have to somehow keep the F-Droid people from listing it, or else people would notice the different hashes. (some small percent of users will notice even a changed UPC code on packaging, and send emails in asking if the product is the same product or a different version!) So it needs to be open source, but have very few users and very little interest. It seems the attack vector is self-limiting, but I don't doubt that it does happen when narrowed that far.

      The big hole in your idea is thinking that the sort of people that would compile the app themselves, when asked about potential problems, would just vouch for it without even talking about versions and hashes. That seems an unlikely combination of advanced and beginner behavior.