lolloj - Fotolia
Researchers developed a new proof of concept for an Android Rowhammer attack that can be launched remotely. How effective is this proof of concept and what risk does it pose to Android users?
The first published research on Android Rowhammer appeared in 2014. The following year, Google's Project Zero revealed a working privilege escalation exploit that could be used to gain unrestricted access to all the physical memory installed on a device. Although this hardware-based attack bypassed core system protections and managed to change the contents of memory locations, it was difficult to execute, and so it remained a largely theoretical attack vector.
However, members of the VUSec research group at Vrije Universiteit in Amsterdam have demonstrated a Rowhammer-based exploit that can remotely execute malicious code on certain Android devices by using the device's graphics processing unit (GPU). Previous Android attacks, such as Drammer, required the user to install a malicious app, but the Rowhammer attack can be launched just by a user visiting a malicious website, potentially making it more of a threat.
This exploit is called GLitch, and instead of relying solely on CPUs for hammering, it uses a device's GPU. The name is derived from that fact that it uses the WebGL programming interface to render graphics to trigger a known glitch in DDR3 and DDR4 memory chips.
The researchers were able to successfully exploit two devices running on the Snapdragon 800/801 series systems-on-a-chip with OpenGL 2.0. Fortunately, OpenGL 2.0 was replaced by OpenGL 3.0 in Android 4.3 in mid-2013, greatly reducing the number of vulnerable devices -- less than 5% of Android devices currently run versions older than 4.3. Also, these particular Snapdragon chips are four years old, further limiting the number of exploitable devices.
Both Chrome and Firefox are being updated so that some of the functions that make GPU-based Rowhammer exploits possible can be disabled or redesigned. For example, a WebGL extension called EXT_DISJOIN_TIMER_QUERY, which gave attackers a key tool to build a GPU-based side channel, has been disabled. These changes are likely to make GLitch a less reliable exploit and remove any immediate threat to most end users.
Given the significant amount of reverse-engineering required and the advent of Android Rowhammer mitigations in newer phones, GLitch is unlikely to become a mainstream attack vector. However, GPUs are employed in all smartphones, so the user base is enormous, making it worthwhile for cybercriminals with the right resources or state-sponsored attackers to look for other potential vulnerabilities in GLitch.
Because Android Rowhammer exploits a computer hardware weakness, no software patch can completely fix the problem, so concerned users with older devices or enterprises running systems with older components need to upgrade to those with mitigations designed to prevent bit flipping, such as target row refresh and error correcting code.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
A technique called Process Doppelgänging was used by the SynAck ransomware to bypass security software. Expert Michael Cobb explains how this ... Continue Reading
A Telegram malware called Telegrab targets Telegram's desktop instant messaging service to collect and exfiltrate cache data. Expert Michael Cobb ... Continue Reading
Android P integrates Android Protected Confirmation, which provides sufficient trust in the authentication process. Learn more about this new feature... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.