The details of the attack, known as DRAMMER, were published today by researchers from the VUSec lab at Vrije Universiteit Amsterdam in The Netherlands. DRAMMER is based on the Rowhammer “bit flip” technique that’s already well known to researchers.
Rowhammer is unusual because it’s a hardware-based attack. When a “row” of transistors on a memory module is repeatedly accessed, or “hammered,” flaws can allow a small amount of electrical current to leak into the next row. When this occurs, a bit of data can “flip” position, altering the information stored within. Gradually, attackers can use this to gain control of the device.
“Rowhammer is a hardware bug that allows attackers to manipulate data in memory without accessing it,” the researchers explained. “More specifically, by reading many times from a specific memory location, somewhere else in memory a bit may flip (a one becomes a zero, or a zero becomes a one).”
The team’s research has demonstrated Rowhammer running on a mobile device for the first time. After a short period of testing, they established it is possible to flip bits on modern smartphones. They went on to build a proof-of-concept exploit app to “hammer” areas of memory and force bits to flip. The result is DRAMMER.
DRAMMER is installed as an innocuous app that does not require any special permissions to run. This is a highly attractive advantage to cybercriminals since it could be disguised as any form of app. The user would not be alerted to the hidden threat beneath by the odd permission requirements typical of malicious apps.
Once installed, DRAMMER is able to completely hijack a device within minutes. It runs without any alert and continues if the phone is locked or another app is launched. After a short period of memory hammering, DRAMMER is able to root the device. This allows it total access to its data, hardware and functions.
DRAMMER works by carefully filling up areas of memory with data. Once it has stored enough data in memory, the memory allocator becomes predictable and is forced to add the new data sequentially, in a position chosen by the researchers.
DRAMMER continues to store excess data in memory but now knows where it is positioned. It then triggers a bit flip to give part of the data privileges it would not usually have. The data continues to be repetitively manipulated through bit flips until it is eventually privileged enough to control the phone.
The attack has been demonstrated successfully on the Nexus 4, Nexus 5, LG G4, Motorola Moto G, Samsung Galaxy S4, Samsung Galaxy S5 and OnePlus One. While the time taken to root can vary, DRAMMER usually roots the phone within a period of minutes. The age and condition of the memory modules determines how likely a bit flip is to occur. Some of the phones could not be compromised, indicating some modules are significantly more resilient to Rowhammer than others.
The attack demonstrates the potential severity of hardware defects. Rowhammer could easily be exploited by attackers using basic apps present in the Google Play Store. There is no readily available software fix. The only long-term solution is to develop more reliable memory that is incapable of being hammered into bit-flipping. “Practically all devices” could be vulnerable, the team said.
The researchers reported their findings to Google in July. The company assigned the flaw a “critical” ranking and paid the group $4,000 under its bug bounty program. The company plans to release an Android update next month that will make it harder to exploit Rowhammer. However, it cannot remedy the problem entirely. Only a small subset of all Android devices will receive the patch.
It’s not just Android that’s susceptible to Rowhammer though. While the researchers have so far concentrated on the platform, they warned that exploits could also be developed for Apple’s iOS and Microsoft’s Windows Phone. Its reach could extend mobile devices altogether, affecting desktop PCs, embedded devices and cloud computing platforms too.
