Rowhammer vulnerability: After PCs are affected, Android devices are also vulnerable

[[175834]]

Previously, the Rowhammer hardware vulnerability was discovered in PCs, and recently researchers demonstrated a Rowhammer vulnerability that can be exploited on mobile devices.

The attack, which is highly effective against ARM-based mobile hardware and allows malware to gain root-level privileges on a targeted Android device, was created in collaboration with researchers from Vrije Universiteit Amsterdam, Graz University of Technology, and the University of California, Santa Barbara.

The researchers call Rowhammer a hardware vulnerability that allows an attacker to manipulate data in memory without having to access it. More specifically, by reading from a specific memory location multiple times, bits elsewhere in memory could flip (1 to 0, or 0 to 1).

Traditional Rowhammer exploits are unreliable because bit flips are unpredictable, and researchers say experts question whether ARM memory controllers are fast enough to trigger bit flips.

However, these researchers used the predictable behavior of the default physical memory allocator and its memory reuse patterns to reliably control the layout of physical memory and deterministically place security-sensitive data at vulnerable physical memory locations chosen by the attacker.

The technique, which the researchers call "physical feng shui," creates a deterministic Rowhammer exploit, making the attack more reliable.

Liviu Arsene, a senior e-threat researcher at anti-malware firm Bitdefender, said this approach could make attacks faster.

"Because this attack uses a deterministic Rowhammer attack, it means that it takes less time to create bit flips in the target physical memory area, so this attack takes less time," Arsene said. "This attack itself is particularly dangerous because it can successfully control vulnerable physical memory pages in a short period of time, increasing the chances of exploitation."

According to the researchers, this Rowhammer attack can be hidden in a malicious Android app that does not require special permissions to run and control the device. The researchers said that most Android systems may be vulnerable to the attack, as 17 out of 21 32-bit ARMv7 and one out of six 64-bit ARMv8 phones tested were vulnerable to the Rowhammer attack. The researchers also pointed out that ARMv7 hardware is the dominant platform with a market share of more than 97%.

However, it is not certain whether this poses a real risk to users, as Samsung Galaxy smartphones (by far the best-selling devices) achieved the best results in the tests. The researchers noted that the Samsung Galaxy S4 and Galaxy S5 are vulnerable to the attack, but the S4 is not included in the dataset in their paper and the S5 did not exhibit bit flips when tested. In addition, the Samsung Galaxy S6 is not vulnerable to the Rowhammer attack.

"From this research, it is not clear whether this is a hardware flexibility or architecture issue, as ARMv8 is a 64-bit architecture," Arsene said. "This attack is more likely to work on specific memory chipsets or brands."

Guillaume Ross, senior security consultant for global services at Rapid7, said Google could make attacks more difficult by implementing additional controls on how unauthorized apps can access memory.

"For most end users, it is important to ensure they keep their devices updated and obtain software from legitimate sources. Because privilege escalation issues are commonly found on many operating systems, we should assume that applications may attempt malicious actions," Ross said. "It is reasonable to expect that applications attempting to perform such attacks could be discovered and disabled, although there has not been any targeted attack activity to date."

Arsene believes that only installing apps from the Google Play Store is a best practice, but it does not completely avoid risks.

"There is always a risk of installing malware, even from the official app store," Arsene said. "We've seen this happen in the past, and it will happen again. It all depends on whether Google security will discover these malicious behaviors in the app and whether there will be new security patches to fix the problems caused by this type of attack."

The researchers confirmed that a deterministic Rowhammer attack could pose a real threat to billions of mobile phone users, but the research only revealed the possibility of a Rowhammer attack on platforms other than x86.

Arsene said users probably don't need to worry too much. "While proof of concept of the feasibility of this attack has been demonstrated, the chances of seeing it in practice are relatively small, and it doesn't seem to work across all devices and hardware," he said.