About FOUR YEARS have gone since analysts started to explore different avenues regarding a hacking strategy known as “Rowhammer,” which breaks basically every security model of a PC by controlling the physical electric charge in memory chips to degenerate information in surprising ways. Since that assault abuses the most essential properties of PC equipment, no product fix can completely settle it. What’s more, now, out of the blue, programmers have figured out how to utilize Rowhammer against Android telephones over the web.
On Thursday, researchers in the VUSec research group at Vrije Universiteit in Amsterdam published a paper that details a new form of the Rowhammer attack they call GLitch.
We wanted to see if Android phones were remotely vulnerable to Rowhammer, and we knew the usual techniques wouldnt work, Pietro Frigo, one of the researchers who worked on the paper.
A Clever New Hammer
When a processor accesses the rows of minuscule cells that carry electric charges to encode data in ones and zeros, some of that electric charge can very occasionally leak out to a neighboring row, and cause another bit to flip from a one to zero, or vice versa.
Researchers have pulled off remote Rowhammer attacks on laptops running Windows and Linux before, and more recently VUSec showed that the technique could work on Android phones, too, though only after the attacker had already installed a malicious application on the phone.
Everyone was completely ignoring the GPU, and we managed to use it to build quite a fast, remote Rowhammer exploit on ARM devices when that was considered impossible, Frigo says.
From Flipping Bits to Owning Phones
Most importantly, for now it targets only the Firefox browser, and phones that run the Snapdragon 800 and 801 systems-on-a-chip Qualcomm mobile components that includes both CPU and GPU.
Frigo explains that the researchers tested older phones like the Nexus 5 simply because they had more of them around in the lab when they began their work in February of last year.
Frigo says that while their attack would have to be rewritten for different phone architectures, he expects that with additional reverse-engineering time it would work on newer phones as well, or against victims running other mobile browsers.
They used that Web GL code in their malicious site, along with a timing technique that allowed them to determine the location the GPU was accessing in memory by how quickly it returned a response, to force the GPU to load graphic textures that repeatedly hammered target rows of memory.
The researchers then exploited a quirk of Firefox in which numbers stored in memory that have a certain pattern of bits are treated not as mere data, but as a reference to another object a container holding data controlled by the attacker elsewhere in memory.
almost all Android hacking occurs via malicious apps
The company also said that it has tested the attack on newer phones and believes that their isnt nearly as susceptible to Rowhammer.
Regardless, Google says it has made software changes to Chrome to block the researchers implementation of the attack in its own browser.
Mozilla also tells WIRED it fixed one element of Firefox in its last release that makes determining the location of data in memory more difficult.
While VUSecs Frigo says that didnt prevent VUSecs attack, Mozilla adds that its planning a further update to prevent GLitch attacks in another update next week.
How widespread this particular attack can be, of course, remains to be seen, writes Carnegie Mellon researcher Onur Mutlu, one of the authors of the first paper in 2014 that introduced Rowhammer as a potential attack, in an email to WIRED.
The barriers to executing these kinds of attacks have been significantly reduced by this paper
The barriers to executing these kinds of attacks have been significantly reduced by this paper and it is likely that well see more attacks in the future based on this work, adds Anders Fogh, the principal researcher for GDATA Advanced Analytics, who was first to discover some elements of the Meltdown and Spectre attacks earlier this year.
Frigo points out that while the Pixel phone uses DDR4, the Vrije Universiteit hackers were still able to induce bit flips in that phones memory, too.
All of that means hardware makers will need to keep up with an advancing form of attack that threatens to potentially keep reappearing, each time in a new form that cant be easily fixed in software or fixed at all.