App proves Rowhammer can be exploited to root Android phones – and there's little Google can do to fully kill it
Hardware vuln strikes 18 of 27 tested mobes
Security researchers have demonstrated how to gain root privileges from a normal Android app without relying on any software bug.
The unprivileged application is able to gain full administrative permissions by exploiting the Rowhammer vulnerability present in modern RAM chips. Essentially, malicious code can change the content of memory it should never be able to access.
This means rogue mobile applications can abuse this hardware flaw to commandeer people's handhelds.
The effect is pure physics and yet exploitable through software: RAM is assembled in rows of cells, and it is possible to flip bits in a row by repeatedly accessing the cells in an adjacent row. By continuously accessing cells, software can trigger voltage fluctuations in the RAM chips' control electronics. This causes cells in rows adjacent to the one being accessed to discharge faster than normal, meaning they lose the information they were holding.
This can be exploited to alter bits in RAM one by one, and manipulate crucial operating system data to gain root privileges. With admin access, the software can completely hijack the device, install malware and spyware, and so on.
Most – but not all – Android smartphones are potentially vulnerable to this attack, we're told.
A team from Vrije Universiteit, Amsterdam and other academics have documented how this Rowhammer effect, previously demonstrated on Microsoft Edge and public clouds, also affects Android smartphones as well as PCs and servers.
The group have developed and released Drammer, which exploits Rowhammer to take control of a mobile device by tampering with its physical memory, proving the attack technique is practical rather than a lab-only exercise. Drammer has no special permissions – it is a normal unprivileged app – and yet is able to gain root-level access to the device.
The researchers explain:
The Rowhammer vulnerability allows attackers to change data in memory without accessing it directly, by reading from another memory region exhaustively (hence hammering). To date, it was assumed that mobile, ARM-based devices would be too slow to trigger these so-called bit flips, limiting Rowhammer attacks to stationary PCs and servers. This work squashes that common belief and shows how attackers can exploit the hardware bug in a fully deterministic and reliable manner.
Drammer – developed in collaboration with the University of California at Santa Barbara and Graz University of Technology in Austria – uses Flip Feng Shui to achieve reliable Rowhammer exploitation.
Not every phone is vulnerable to the Rowhammer bug. The researchers performed bit flips in 18 out of 27 tested phones, including some (former) flagship models like Google's Nexus 5 or the LG G4.
Google told El Reg that it had worked out a software fix designed to mitigate against attacks, which will become available in November. A spokesperson told us:
After researchers reported this issue to our Vulnerability Rewards Program, we worked closely with them to deeply understand it in order to better secure our users. We’ve developed a mitigation which we will include in our upcoming November security bulletin.
The team that developed the attack warned that Google can only go so far toward resolving what boils down to a hardware problem.
“Google scrambled to try and fix the problem, but they cannot really do it as the problem is in hardware,” Herbert Bos, professor of systems security at Vrije Universiteit Amsterdam and supervisor of the research, told El Reg. “Also, since the Android market is so fragmented, this patch will probably never reach most of the phones.”
More details of the research are due to be unveiled on Wednesday, October 26, at the Conference on Computer and Communications Security (CCS), a security conference in Vienna, Austria, by Victor van der Veen, lead author of the paper. ®