Rowhammer Can Root into Android

Friday, October 28, 2016 @ 05:10 PM gHale

There is a way to leverage the Rowhammer hardware vulnerability on Android devices and gain root access, researchers said.

The Rowhammer hardware vulnerability has been found in PCs before, but there is a way to use the Rowhammer exploit on mobile devices.

Dirty COW Works on Android
Dirty COW Zero-Day Patched
Backdoor Hits WTP
New Backdoor Trojan

The attack described in “Drammer: Deterministic Rowhammer Attacks on Mobile Platforms” was found to be effective against ARM-based mobile hardware and allowed a malicious app to gain root access on targeted Android devices. The method was a collaborative effort by researchers from Vrije Universiteit Amsterdam, Graz University of Technology in Graz, Austria and the University of California at Santa Barbara.

The researchers described Rowhammer as “a hardware bug that allows attackers to manipulate data in memory without accessing it. More specifically, by reading many times from a specific memory location, somewhere else in memory a bit may flip (a one becomes a zero, or a zero becomes a one).”

Traditional Rowhammer exploits were unreliable because bit flips are unpredictable and researchers said experts had questioned whether ARM memory controllers were “fast enough to trigger bit flips.”

However, the researchers used “the predictable behavior of the default physical memory allocator and its memory reuse patterns … [to] reliably control the layout of physical memory and deterministically place security-sensitive data in an attacker-chosen, vulnerable physical memory location.”

This technique, which the researchers called “Phys Feng Shui,” combined Rowhammer with a memory massaging primitive and created a deterministic Rowhammer exploitation which made  the attack much more reliable.

The Rowhammer attack can end up hidden inside a malicious Android app which would require no special permissions in order to run and take over a device, the researchers said. The researchers said a large proportion of the Android ecosystem may be vulnerable because 17 out of 21 of 32-bit ARMv7 devices tested and one out of six 64-bit ARMv8 phones were susceptible to Rowhammer. The researchers said ARMv7 hardware is “still the most dominant platform with a market share of over 97 percent.”

Leave a Reply

You must be logged in to post a comment.