Experts agree that the Rowhammer vulnerability revealed this week likely isn't much of a concern for enterprises,...
but disagree on whether it marks a new rise in hardware vulnerabilities.
Google's Project Zero research team Monday disclosed a proof-of-concept exploit, dubbed the Rowhammer vulnerability, in DDR3 DRAM modules. The news caught the attention of the infosec world because researchers claimed the flaw could allow attackers to gain kernel-level privileges on Linux and potentially some other systems.
But in interviews with SearchSecurity this week, experts said that most organizations have little to fear from Rowhammer because the systems most likely to be targeted by attackers use memory that is not vulnerable to Rowhammer.
"It doesn't affect enterprise systems that have ECC memory," said Robert Graham, CEO of Atlanta-based Errata Security. "Most enterprise systems that handle sensitive data have ECC memory."
Graham also noted that the Rowhammer vulnerability is best used as a way to escalate privileges after a hacker has already gained access to a machine, and in practice, can't be used to take control of that machine.
Colby Moore, research engineer at San Francisco-based Synack Inc., said it is unlikely that Rowhammer will be part of any widespread malware, because the attack vector is too specific.
"At best, it could be part of a nation-state attack that is very targeted," said Moore, "one where the attacker knows the machine and memory, and knows it is vulnerable."
The experts noted that hardware manufacturers appeared to be aware of the vulnerability, but saw it as so difficult to successfully exploit that it wasn't worth fixing. Rob Enderle, principal analyst for San Jose, Calif.-based Enderle Group Inc., said that manufacturers fixed the issue in DDR4 because the bit-switching problem behind Rowhammer was making the chips less reliable, and that the Rowhammer vulnerability was fixed at the same time wasn't the real aim of the changes.
Beyond these difficulties in leveraging Rowhammer as an attack, experts said that virtualization adds another layer of protection against the vulnerability because it is a layer of abstraction that makes it much more difficult to know the geometry of the physical memory, which is essential to a successful attack.
Hardware vulnerabilities of the future
However, experts disagreed over whether Rowhammer marks the beginning of a new wave of hardware vulnerabilities, both unintentional flaws as well malicious backdoors built in through hijacked manufacturing processes.
Both Enderle and Moore believed that it is likely Rowhammer will be the first of many hardware vulnerabilities discovered. Each said that the tools required to find hardware vulnerabilities are getting better and less expensive, and more groups will be actively looking for these types of vulnerabilities. The only question is who will find them first?
"The problem is that OEMs don't have the budgets to find these vulnerabilities," Enderle said. "So, those who will discover the hardware vulnerabilities may not have our best interests in mind, and may look to exploit them rather than publish them."
Graham disagreed, saying that the proof was in the history of hardware vulnerabilities, which has shown new hardware vulnerabilities are found and then quickly disappear. As examples, he noted bit-squatting attacks and packet-in-packet attacks, in which packets were sent to a Wi-Fi-enabled device in the hope that a radio wave would get corrupted locally and allow an attacker access to the system.
Graham said that hardware vulnerabilities get buzz because they are interesting from a hacker's perspective, but not necessarily because they are legitimately important or pose a big threat.
"They tend to be fun to exploit, but involve a lot of random chance," Graham said. "The next [hardware vulnerability] will either be very weird and make people panic, or they'll [sic] be like the last few and we ignore them."
Learn more about potential backdoor vulnerabilities in Wi-Fi routers.