Rowhammer attacks allows hackers to gain Root Access to Android Devices

Criminal users have used a new type of attack vector called the Rowhammer attack to gain root privileges on the compromised Android devices. This allows hackers to gain access to popular devices such as the flagship models LG G4, Samsung Galaxy S5 and others.

Details About The Rowhammer Attack

An international team of security analysts have created a new way to root (bypass) popular models of Android devices using a Rowhammer attack. This allows attackers to manipulate the stored data in the memory chips and use predictable memory reuse patterns of standard physical memory allocators to exploit the smart devices.

This effectively means that hackers can craft powerful attacks “completely subvert a system”. The specialist attack has been demonstrated on several popular handsets including the Nexus 4, Nexus 5, LG G4, Motorola Moto G, Samsung Galaxy S4 and S5 and the OnePlus One.

The demonstrated attack does not rely on any software vulnerabilities or specific user permissions. According to the report many popular devices are vulnerable to this type of Rowhammer attack.

The essentials of every attack of this type is the manipulation of memory – the hackers need to repeatedly access (or “hammer”) a specific target physical memory location unit in an adjacent location flips. This bypasses all defences and is used to completely subvert the system.

The researchers demonstrate two types of attacks – a generic and a deterministic one.

The attacks can be initiated if the hackers have access to an unprivileged Android app on an ARM-based device. The hackers can initiate a privilege escalation attack to acquire root privileges.

Mitigation of the Rowhammer Attacks

The researchers point out details about existing solutions that can defend against Rowhammer attacks.

The first group of measures include software-based measures – this includes blacklisting (essentially disallowing or blocking) the rewriting of instructions. This is deployed on the Google Native client module (NaCl). However this has proven to be inefficient since Rowhammer attacks have been demonstrated in JavaScript code which can bypass this type of protection.

Another way of countering the vulnerability is the use of hardware-based defenses such as using memory modules with error correcting codes (ECC). However they are still not effective against most contemporary crafted Rowhammer versions.

Proposed measures include restriction of userland interfaces, memory isolation and integrity checks and prevention of memory exhaustion.

The Dangers of The Rowhammer Attacks

In short there is no easy solution that can efficiently guard against Rowhammer attacks. The demonstration shows that the attack is a real threat to billions of mobile users. The bigger problem is that the Rowhammer technique can also be done on virtually all architecture platforms, including the x86 one that is used primarily in desktop computing. The limited number of requirements makes it very easy to deploy on unsuspecting victims.

The researchers intend on making a public demonstration by releasing an app on the Google Play Store. This will allow any Android user to test if their device is vulnerable to the demonstrated research attacks. The security team have reported their findings to Google in July. The company has designated the bug with a “critical” rating which is the highest severity score. The Android team plan to release an update to the mobile operating system code that could partially resolve the issue. However according to the security researcher this is not going to be a conclusive solution for the problem.

For more information on the issue you can read the comprehensive research paper titled “Drammer: Deterministic Rowhammer Attacks on Mobile Platforms“.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *