New Rowhammer attack can be used to hack Android devices remotely

Researchers from Vrije Universiteit in Amsterdam have demonstrated that it is possible to use a Rowhammer attack to remotely hack Android phones.

Rowhammer attack Android

What is a Rowhammer attack?

“The Rowhammer attack targets the design of DRAM memory. On a system where the DRAM is insufficiently refreshed, targeted operations on a row of DRAM memory may be able to influence the memory values on neighboring rows,” the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University succinctly explained.

The result of such an attack is that the value of one or more bits in physical memory (in this case GPU memory) is flipped, and may offer new access to the target system.

Successful Rowhammer attacks have been previously demonstrated against local machines, remote machines, and Linux virtual machines on cloud servers.

The GLitch attack

The researchers dubbed their attack “GLitch,” as it leverages WebGL, a JavaScript API for rendering interactive graphics in web browsers, to determine the physical memory layout of the DRAM memory before starting the targeted Rowhammer attack.

Vulnerable smartphones can be targeted by tricking users into visiting a website hosting a malicious JavaScript. A successful exploitation results in malicious code being run on the devices, but just within the privilege of the browser, meaning that a complete compromise of the device is not possible but password theft is.

“The impact of combining both the side-channel attack and rowhammer attack has been demonstrated to bypass the Firefox sandbox on the Android platform,” the SEI CERT division noted.

“It is important to realize that the GLitch attack has only successfully been demonstrated on the Nexus 5 phone, which was released in 2013. The Nexus 5 phone received its last software security update in October, 2015, and is therefore an already unsafe device to use. Several other phones released in 2013 were tested, but were not able to successfully be attacked with the GLitch attack. Success rates on phones newer than 2013 models were not provided. Non-Android devices were not tested as well.”

The researchers have told Wired that the attack can be modified to target different phone architectures and different browsers.

To mitigate the risk of this particular attack, Google and Mozilla have already released updates for Chrome and Firefox that disable the high precision WebGL timers leveraged to leak memory addresses.

More technical details about GLitch can be found in this paper.

Don't miss