New Rowhammer GPU attack can hijack your Android phone remotely
Security researchers have proven Rowhammer flaws in DRAM chips can be used to attack Android smartphones. Rowhammer is a hardware bug that exists in a memory module and uses a phenomenon called bit flipping.
All computer data processes may consist of 0s and 1s, and bit inversion will reverse these values in the DIMM (0 to 1 and 1 to 0). Although it sounds harmless, Google’s Project Zero team discovered in 2014 that the vulnerability could provide administrator privileges or bypass software security measures by targeting portions of memory.
This is a big problem. By using the Rowhammer effect, a program can theoretically manipulate other software running on computer DRAM, including the operating system itself.
Since the discovery of the Rowhammer vulnerabilities in 2014, security experts have been studying this threat and showing how it could be exploited maliciously.
Two years ago, security researchers at the University of Vrije in the Netherlands demonstrated how Rowhammer was misused by malicious applications to implant Android phones and gain administrative privileges.
Last Thursday, the same group of security researchers successfully used Rowhammer to crack the Android smartphone in two minutes using a mobile browser using Javascript.
The researchers called their proof-of-concept attack “GLitch” and published their findings in a new paper.
“We demonstrate the potential of such attacks by bypassing state-of-the-art browser defenses and presenting the first reliable GPU-based rowhammer attack that compromises a browser on a phone in under two minutes.”
Their attack demo on the Nexus 5 shows that it can get read/write access through the Firefox browser, enabling researchers to execute code on the software. To manipulate DRAM, the attack exploited Firefox’s support for Javascript APIs that support device graphics processors.
Researchers wrote in their paper: “The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses. This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions is used in a number of microarchitectural attacks, such as rowhammer.” It is worth noting that Google’s Chrome browser is also vulnerable to similar threats.
