A new hardware-based attack that allows adversaries to get root privileges on target devices threatens the security of many popular Android handsets, including the LG Nexus 5, the Samsung Galaxy S5, and Galaxy S6.
The new attack is an extension of a technique known as Rowhammer in which an attacker repeatedly accesses specific areas of memory, causing bits in other memory locations to flip, either from a one to a zero, or from a zero to a one. The attack has been demonstrated on desktop machines in the past, but new research from Vrije University in Amsterdam and the University of California at Santa Barbara shows that it succeeds against many Android devices as well, and can give an attacker root access without the need for a software vulnerability. The Android attack is known as Drammer.
“Drammer is a new attack that exploits the Rowhammer hardware vulnerability on Android devices. It allows attackers to take control over your mobile device by hiding it in a malicious app that requires no permissions. Practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched. Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid,” the Dutch researchers said in an explanation of the technique.
The research teams have released an app that will determine whether a given Android handset is vulnerable to the Drammer attack. They disclosed their new technique to Google’s Android security team in July, and the company is releasing a patch for it next month.
“Note that, although Google’s patch round from November complicates our attack, it does not eradicate it. We hope to see a more sophisticated fix soon,” the researchers said.
Researchers from Carnegie Mellon University and Intel Labs published research on the Rowhammer attack a couple of years ago, and the issue has been discussed in the security research community for some time. The attack affects DRAM memory specifically, and works because of the way that modern memory chips are designed.
“As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other. As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells. With enough accesses, this can change a cell’s value from 1 to 0 or vice versa,” researchers from Google’s Project Zero wrote in an analysis of Rowhammer attacks last year.
In order to execute the new Drammer attack, an adversary would need control of an app without any permissions on a target Android device.
“We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platform,” the research paper says.
The researchers have not released exploit code for the issue, but have released the source code of the app that demonstrates the attack.