Earlier last year, security researchers from Google’s Project Zero outlined a way to hijack the computers running Linux by abusing a design flaw in the memory and gaining higher kernel privileges on the system.
Now, the same previously found designing weakness has been exploited to gain unfettered “root” access to millions of Android smartphones, allowing potentially anyone to take control of the affected devices.
Experts from the VUSec Lab at Vrije Universiteit Amsterdam have discovered a vulnerability that could be exploited to gain “root” access to millions of Android smartphones targeting the device’s dynamic random access memory (DRAM). using an attack called DRAMMER.
The attack called Rowhammer, is not new, but this is the first time it was successfully used against target mobile devices.
On March 2015, security researchers at Google’s Project Zero team demonstrated how to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips.
By exploiting the rowhammer technique the hackers can obtain higher kernel privileges on the target system. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically an attacker can change any value of the bit in the memory.
The Rowhammer attack for mobile device involves a malicious application that once in execution repeatedly accesses the same “row” of transistors on a memory chip in a tiny fraction of a second (Hammering process)
Hammering a specific portion of memory can electrically interfere with neighboring row. This interference can cause the row to leak electricity into the next row, which eventually causes a bit to flip and consequent data modification.
An attacker can exploit these modifications to execute its code and gain control of the device.
In short, Rowhammer is an issue with new generation DRAM chips in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row that could allow anyone to change the value of contents stored in the memory.
The researchers created a proof-of-concept exploit, dubbed DRAMMER, to test mobile the Rowhammer attack on mobile devices.
The hack could modify crucial bits of data allowing an attacker to root Android devices from major vendors, including Samsung, OnePlus, LG, and Motorola.
The experts exploited the Android mechanism known as the ION memory allocator to give an app a direct access to the dynamic random access memory (DRAM). The ION memory allocator also allows the attackers to identify adjacent rows on the DRAM, which is essential to power the Rowhammer attack by generating bit flips.
The ability allowed the researchers to achieve root access on the victim’s device, giving them full control of the mobile device.
“On a high level, our technique works by exhausting available memory chunks of different sizes to drive the physical memory allocator into a state in which it has to start serving memory from regions that we can reliably predict,” states the paper.
“We then force the allocator to place the target security-sensitive data, i.e., a page table, at a position in physical memory which is vulnerable to bit flips and which we can hammer from adjacent parts of memory under our control.”
“Drammer is a new attack that exploits the Rowhammer hardware vulnerability on Android devices. It allows attackers to take control over your mobile device by hiding it in a malicious app that requires no permissions. Practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched. Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid.” states a blog post published by the researchers.
The experts successfully rooted Android handsets including Google’s Nexus 4 and Nexus 5; LG’s G4; Samsung Galaxy S4 and Galaxy S5, Motorola’s Moto G models from 2013 and 2014; and OnePlus One.
“Not only does our [DRAMMER] attack show that practical, deterministic Rowhammer attacks are a real threat to billions of mobile users, but it is also the first effort to show that Rowhammer is…(reliably exploitable) on any platform other than x86 and with a much more limited software feature set than existing solutions,” reads a paper published by the experts.
The DRAMMER app is able to take over the victim’s mobile within minutes and doesn’t request user’s interaction.
The researchers published two following proof-of-concept videos that demonstrate DRAMMER attack in action against an unrooted LG Nexus 5.
In the first video, the phone is running Android 6.0.1 with security patches Google released on October 5, while in the second one the researchers show how the DRAMMER attack can be combined with Stagefright bug that is still unpatched in many older Android devices.
The researchers have released on GitHub the source code of the DRAMMER app in order to allow users to test their mobile device and anonymously share their results.
The experts reported the issue to Google in July, and the tech giant recognized it as a “critical” vulnerability and awarded the researchers $4,000 under its bug bounty program.
The issue is expected to be partially solved with the upcoming November security bulletin, in this way it will be more difficult for an attacker to launch a DRAMMER attack.
The problem is that some software features that DRAMMER exploits are so essential to any OS, it is not possible to remove or modify them without a significant impact on the overall design of the device.
(Security Affairs – Rowhammer, DRAMMER attack)