Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Android Security Cellphones Data Storage Google Operating Systems Privacy Software Windows News Hardware Linux Technology

Rowhammer Attack Can Now Root Android Devices (softpedia.com) 100

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."
This discussion has been archived. No new comments can be posted.

Rowhammer Attack Can Now Root Android Devices

Comments Filter:
  • I don't understand (Score:5, Interesting)

    by TheRaven64 ( 641858 ) on Tuesday October 25, 2016 @06:09AM (#53144839) Journal
    One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?
    • They made an app that did it.
    • by Gravis Zero ( 934156 ) on Tuesday October 25, 2016 @10:22AM (#53145969)

      One of the simplest existing known attacks involves [...]. What made this attack now work on mobile devices?

      Surprise, they didn't do it that way!

      It was previously "speculated that Rowhammer on ARM could be impossible, one of the main reasons being that the ARM memory controller might be too slow to trigger the Rowhammer bug" which is true in most cases like the one you listed. However, one thing they figured out is that they could use "DMA buffers bypass the CPU and its caches" using Android's DMA Buffer Management API.

      They did several other things like figure out how to determine the size of the DRAM rows (not uniform on ARM) and create a deterministic way force security-sensitive data int vulnerable rows in a deterministic fashion.

      You can read the paper that describes it here: https://vvdveen.com/publications/drammer.pdf [vvdveen.com]

      TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

      • TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

        I thought I'd add a potentially interesting anecdote to this. The app is not available on the US Google Play Store, as the github readme said may be the case. I downloaded the app directly to my Motorola Droid 2 Turbo (last OS update July 1st, 2016) and installed it. I was surprised to see a warning message pop up "Installation blocked. This app contains code that attempts to bypass Android's security protections." Something in my phone is detecting the potentially malicious code, and I don't think i

    • What I don't understand is if this attack is able to root so many different Android systems, why is it still so hard for the device's owner who wants to root his device to actually root it?
      • by Altrag ( 195300 )

        Its not that hard. A quick Google will find you dozens of pages and Youtube videos showing you how to do it.

        The hard part is trusting any of those rooting programs to not be malware themselves. Any time you're doing something that's against the rules (even if not actually illegal,) you'll find a boatload of shady people offering questionable solutions since most "legitimate" sources tend to avoid breaking the rules.

  • Bug of feature? (Score:2, Interesting)

    by sciengin ( 4278027 )

    Of course this is a terrible bug for most.
    On the other hand it would be awesome if one could incorporate this attack into an app that roots the device without needing to connect it to a PC first.

    • by peragrin ( 659227 ) on Tuesday October 25, 2016 @06:58AM (#53144961)

      don't worry they are working on a java script version.

      That way they can root your device on the web and load the advertising directly to all of your contacts.

      oh wait that's called facebook.

      • Re:Bug of feature? (Score:5, Informative)

        by TheRaven64 ( 641858 ) on Tuesday October 25, 2016 @07:17AM (#53145039) Journal
        Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.
        • What's new is this is an exploit uses a hardware vulnerability [arstechnica.com], not a software vulnerability. While Ars is lacking specific details, the article reads as though it's a vulnerability in a common type of memory chip (or controller thereof) and doesn't depend on a specific version of Android or Dalvik. That sounds different to me, but I'm no expert.
          • Uh, no. All RowHammer attacks use a hardware vulnerability. That's the definition. The JavaScript attack allows you to exploit this vulnerability from a bug-free JavaScript VM, with the only requirement being that it implements TypedArray objects as contiguous (virtual) memory arrays (which is the obvious way of implementing them, and it would be difficult to implement them usefully any other way if you want to use them with WebGL). The only variation is which bits you choose to try to flip with the Row
        • Rowhammer has been usable from JavaScript for ages. [...] I don't know why this attack wouldn't work on mobile devices

          Your javascript attack works on x86 systems but not on ARM systems because of how and how fast the memory is accessed. ARM memory controllers just aren't fast enough to trigger the DRAM bug.

          I don't really see what's new here.

          you should consider reading the research paper [vvdveen.com] before spouting ignorant and misleading comments. :)

    • by johanw ( 1001493 )

      Try Kingroot for that. Then, run a script to replace Kingroot with SuperSU, For most phones this is the easiest root method.

  • You Android device is ROOTED :-(
    • by Anonymous Coward

      You think you're being all clever here, but the risk isn't that your phone ends up rooted and you get to enjoy the spoils. The risk is that malicious software roots your phone without your knowledge and they enjoy the spoils.

      • by TheCarp ( 96830 )

        While you are correct, I must confess.... MY first reaction to this was "Oh good, you mean I can root my phone that I bought with my money now"

        As much as I hate the implications of this.... and I do.... I also hate that I own a device that is functionally crippled and unable to run many of the apps I would like to run.

        Funny ecosystem we have eh?

        • Amen. Got a Cat S50 I can't root for the life of me. I need root to remotely help my grandfather who accidentally presses buttons all the time. I got him a great water proof drop proof old age proof phone, but the gas and mileage of physically driving 100 miles to press a stupid button is getting on my nerves!

          Yo Grark
      • by johanw ( 1001493 )

        My phone is already rooted, is another process installs a new su binary SuperSU will notice and complain about it.

  • A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. So they don't say "enabled" by javascript, no no no, its "weaponised" with "attack vectors" instead of flaws or holes. Its just so lame and wannabe.

  • by Anonymous Coward on Tuesday October 25, 2016 @06:48AM (#53144933)

    Lucky I upgra

  • Does anybody know if this affects Amazon Kindle devices since they are an Android Fork?
  • by sxpert ( 139117 ) on Tuesday October 25, 2016 @08:01AM (#53145197)

    time to implement ECC everywhere, period !
    it's not like ram is expensive anymore

    • by fintux ( 798480 )
      ECC requires more power (more data to store + data integrity checks to be done), and might also have a bit bigger footprint. I don't know how much more exactly, nor how big portion of the power usage comes from RAM, but in any case, cost isn't the only drawback.
      • by sxpert ( 139117 )

        the core to do ECC in the memory controller bits of the processor is really small... and doesn't consume much anymore compared to the billions of transistors required for ever bigger cache and logic in those processors... the issue is rather moot

  • Can't wait until it's up on XDA Developers for the S5 from AT&T, which so far hasn't been able to be rooted, and is the phone my work gave me. Sure it's a free phone and it's a work phone... But I wanna put a different ROM on it, dammit.

    • Sorry, those bootloaders are cryptographically signed with keys in either Verizon's or AT&T's possession. These keys preclude the installation of any custom ROMs. Short of an AT&T dev being careless with the crypto-keys, it's not going to happen. In my experience, Samsung phones are pretty beefy. They have to be to run the TouchWiz OS layer on top of Android OS.

      If you have an older Samsung phone - for instance the Galaxy S3 - and you have the ability to install a Custom ROM (Cyanogen, Slim, Oxy
  • No problem with my Asus Zenfone2 with an Intel chip! (I hope)
  • This is just another reason why we need to migrate away from DRAM. It's simply at a fundamental level too easy to exploit this way. We need to move to non-volitile memory, which is more power efficient anyway. Hopefully within a few more years the tech will be there.... I'm most excited about the carbon nanotubes, myself.
  • This weekend I used Win10, everytime I wanted to view a PDF; Edge wanted to be the PDF viewer yet has no usable options for that function.

    I was using the computer just to view PDF's, I had to select Open With: select Foxit (which came pre-installed) and 5+ requestor to make it the default PDF viewer, this everytime I opened a PDF.

    It's an obtrusive sob that I'm sure threw itself into the hack.

  • Shouldn't they have called it DRAMP?

  • So I have to jump through hoops to try to root my S6 and end up giving up and restoring a backup... but this thing can drive by root it? wtf
  • Researchers said they don't plan to release the exploit code that weaponizes the Rowhammer attack in order to root Android devices.

    Gee, thanks.

    There are lots of people who are stuck on unrootable devices and could really use this.

  • Apparently Intel patented their fix on Oct 31, 2013... the exact same day that Nexus 5 shipped in the US:

    https://www.google.com/patents... [google.com]

    Glad to see the industry came together to protect consumers!

Things are not as simple as they seems at first. - Edward Thorp