GLitch: New Rowhammer Attack Can Remotely Hijack Android Phones

0
1233

For the very first time, security researchers have discovered an effective way to exploit a four-year-old hacking technique called Rowhammer to hijack an Android phone remotely.

Dubbed GLitch, the proof-of-concept technique is a new addition to the Rowhammer attack series which leverages embedded graphics processing units (GPUs) to carry out a Rowhammer attack against Android smartphones.

Rowhammer is a problem with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row, allowing anyone to change the value of contents stored in computer memory.

Known since at least 2012, the issue was first exploited by Google’s Project Zero researchers in early 2015, when they pulled off remote Rowhammer attacks on computers running Windows and Linux.

Last year, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam demonstrated that the Rowhammer technique could also work on Android smartphones, but with a major limitation of a malicious application being first installed on the target phone.

However, the same team of researchers has now shown how their proof-of-concept attack “GLitch,” can exploit the Rowhammer attack technique simply by hosting a website running malicious JavaScript code to remotely hack an Android smartphone under just 2 minutes, without relying on any software bug.

Since the malicious code runs only within the privileges of the web browser, it can spy on user’s browsing pattern or steal their credentials. However, the attacker cannot gain further access to user’s Android phone.

Here’s How GLitch Attack Works

GLitch is the first remote Rowhammer technique that exploits the graphics processing units (GPU), which is found in almost all mobile processors, instead of the CPU that was exploited in all previous theorized versions of the Rowhammer attack.

Since the ARM processors inside Android smartphones include a type of cache that makes it difficult to access targeted rows of memory, researchers make use of GPU, whose cache can be more easily controlled, allowing hackers to hammer targeted rows without any interference.

The technique is named GLitch with first two letters capitalized because it uses a widely used browser-based graphics code library known as WebGL for rendering graphics to trigger a known glitch in DDR3 and DDR4 memory chips.

Currently, GLitch targets smartphones running the Snapdragon 800 and 801 system on a chip—that includes both CPU and GPU—meaning the PoC works only on older Android phones like the LG Nexus 5, HTC One M8, or LG G2. The attack can be launched against Firefox and Chrome.

In a video demonstration, the researchers show their JavaScript-based GLitch attack on a Nexus 5 running over Mozilla’s Firefox browser to gain read/write privileges, giving them the ability to execute malicious code over the software.

“If you’re wondering if we can trigger bit flips on Chrome the answer is yes, we can. As a matter of fact, most of our research was carried out on Chrome,” the researchers said. “We then switched to Firefox for the exploit just because we had prior knowledge of the platform and found more documentation.”

No Software Patch Can Fully Fix the Rowhammer Issue

Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers say the Rowhammer threat is not only real but also has the potential to cause some real, severe damage.

Although there’s no way to fully block an Android phone’s GPU from tampering with the DRAM, the team has been working with Google on ways to solve the problem.

For more in-depth details on the new attack technique, you can head on to this informational page about GLitch and this paper [PDF] published by the researchers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.