Now, the same previously constitute designing weakness has been exploited to arrive at unfettered "root" access to millions of Android smartphones, allowing potentially anyone to accept command of affected devices.
Researchers inwards the VUSec Lab at Vrije Universiteit Amsterdam lead keep discovered a vulnerability that targets a device's dynamic random access retention (DRAM) using an laid on called Rowhammer.
Although nosotros are already aware of the Rowhammer attack, this is the rattling commencement fourth dimension when researchers lead keep successfully used this laid on to target mobile devices.
What is DRAM Rowhammer Attack?
The Rowhammer laid on against mobile devices is as unsafe because it potentially puts all critical information on millions of Android phones at risk, at to the lowest degree until a safety acre is available.
The Rowhammer laid on involves executing a malicious application that repeatedly accesses the same "row" of transistors on a retention chip inwards a tiny fraction of a 2nd inwards a procedure called "Hammering."
As a result, hammering a retention portion tin disturb neighboring row, causing the row to leak electricity into the following row which eventually causes a chip to flip. And since bits encode data, this small-scale modify modifies that data, creating a agency to arrive at command over the device.
In short, Rowhammer is an number amongst novel generation DRAM chips inwards which repeatedly accessing a row of retention tin crusade "bit flipping" inwards an following row that could allow anyone to modify the value of contents stored inwards the memory.
Is Your Android Phone Vulnerable?
To exam the Rowhammer laid on on mobile phones, the researchers created a novel proof-of-concept exploit, dubbed DRAMMER, together with constitute their exploit successfully altered crucial bits of information inwards a agency that completely roots large build Android devices from Samsung, OnePlus, LG, Motorola, together with perhaps other manufacturers.
The researchers successfully rooted Android handsets including Google's Nexus iv together with Nexus 5; LG's G4; Samsung Milky Way S4 together with Milky Way S5, Motorola's Moto G models from 2013 together with 2014; together with OnePlus One.
"Not solely does our [DRAMMER] laid on demonstrate that practical, deterministic Rowhammer attacks are a existent threat to billions of mobile users, exactly it is also the commencement endeavour to demonstrate that Rowhammer is...(reliably exploitable) on whatever platform other than x86 together with amongst a much to a greater extent than express software characteristic laid than existing solutions," the researchers wrote inwards their newspaper [PDF] titled, "Drammer: Deterministic Rowhammer Attacks on Mobile Platforms."
How does the DRAMMER Attack Work? (Exploit Source Code)
The researchers took payoff of an Android machinery called the ION retention allocator to arrive at straight access to the dynamic random access retention (DRAM).
Besides giving every app straight access to the DRAM, the ION retention allocator also allows identifying following rows on the DRAM, which is an of import constituent for generating targeted chip flips.
Knowing this, the researchers together with then had to figure out how to role the chip flipping to accomplish rootage access on the victim's device, giving them amount command of the target telephone together with the might to create anything from accessing information to taking photos.
"On a high level, our technique plant past times exhausting available retention chunks of unlike sizes to drive the physical retention allocator into a set down inwards which it has to start serving retention from regions that nosotros tin reliably predict," the newspaper reads.Once y'all download this malicious app, the DRAMMER exploit takes over your telephone inside minutes – or fifty-fifty seconds – together with runs without your interaction. The laid on continues to run fifty-fifty if y'all interact amongst the app or position your telephone inwards "sleep" mode.
"We together with then strength the allocator to house the target security-sensitive data, i.e., a page table, at a seat inwards physical retention which is vulnerable to chip flips together with which nosotros tin hammer from following parts of retention nether our control."
The researchers await to presently issue an app [source code available here] that volition allow y'all exam your Android smartphone yourself together with anonymously include your results inwards a running tally, which volition handle researchers rails the listing of vulnerable devices.
DRAMMER Has No Quick Fix
The grouping of researchers privately disclosed its findings to Google inwards July, together with the fellowship designated the flaw as "critical," awarding the researchers $4,000 nether its põrnikas bounty program.
Google says the fellowship has informed its manufacturing partners of the number before this calendar month together with has developed a mitigation which it volition include inwards its upcoming Nov safety bulletin to build the DRAMMER laid on much harder to execute.
However, the researchers warned that i could non supplant the retention chip inwards Android smartphones that lead keep already been shipped.
And fifty-fifty around software features that DRAMMER exploits are hence telephone commutation together with essential to whatever OS that they are hard to withdraw or modify without impacting the user experience.
In short, the laid on is non piece of cake to acre inwards the following generation of Android phones.
Video Demonstration of DRUMMER Attack on Android 6.0.1
In the commencement video, the telephone is running Android 6.0.1 amongst safety patches Google released on Oct 5.
In the 2nd video, the researchers demonstrate how the DRAMMER laid on tin travel combined amongst Stagefright põrnikas that remains unpatched inwards many older Android handsets.
The researcher's exploit tin target the bulk of the world's Android phones.
"Our interrogation shows that practical large-scale Rowhammer attacks are a serious threat together with piece the reply to the Rowhammer has been relatively tardily from vendors, nosotros promise our travel volition accelerate mitigation efforts both inwards manufacture together with academia," the researchers concluded.The grouping interrogation focuses on Android rather than iOS because the researchers are intimately familiar amongst the Google's mobile OS which is based on Linux. But the grouping says it would theoretically travel possible to replicate the same laid on inwards an iPhone amongst additional research.
H5N1 squad of researchers from VUSec at Vrije Universiteit Amsterdam, the University of California at Santa Barbara, together with the Graz University of Technology has conducted the research, together with they'll travel presenting their findings after this calendar week at the 23rd ACM Conference on Computer together with Communications Security inwards Vienna, Austria.
For to a greater extent than detailed information, y'all tin caput on to this informational page most DRAMMER together with this paper published early on this morning.
