Researchers from Vrije Universiteit in Amsterdam have demonstrated that it is possible to use a Rowhammer attack to remotely hack Android phones.
What is a Rowhammer attack?
“The Rowhammer attack targets the design of DRAM memory. On a system where the DRAM is insufficiently refreshed, targeted operations on a row of DRAM memory may be able to influence the memory values on neighboring rows,” the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University succinctly explained.
The result of such an attack is that the value of one or more bits in physical memory (in this case GPU memory) is flipped, and may offer new access to the target system.
The GLitch attack
“The impact of combining both the side-channel attack and rowhammer attack has been demonstrated to bypass the Firefox sandbox on the Android platform,” the SEI CERT division noted.
“It is important to realize that the GLitch attack has only successfully been demonstrated on the Nexus 5 phone, which was released in 2013. The Nexus 5 phone received its last software security update in October, 2015, and is therefore an already unsafe device to use. Several other phones released in 2013 were tested, but were not able to successfully be attacked with the GLitch attack. Success rates on phones newer than 2013 models were not provided. Non-Android devices were not tested as well.”
The researchers have told Wired that the attack can be modified to target different phone architectures and different browsers.
To mitigate the risk of this particular attack, Google and Mozilla have already released updates for Chrome and Firefox that disable the high precision WebGL timers leveraged to leak memory addresses.
More technical details about GLitch can be found in this paper.