Rowhammer Attack Can Now Root Android Devices

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

Re:

[Daetrin]

If the AI's are created in any kind of evolutionary manner, then almost certainly yes. It's happened with hardware design before. [damninteresting.com]

Incentive for RAM-makers

[davidwr]

but RAM makers have no incentive to fix it

Actually, they do. They can market lower-density, more-expensive-to-manufacture RAM which has spacing or other "rowhammer-protecting design elements" between rows for use in "high- but-not-quite-military-grade-security" applications.

For example, if off-the-shelf equipment would have been approved for a high-security application but for the vulnerability to rowhammer and similar attacks then the product vendor can substitute the more expensive, lower-density, more-secure RAM and sell his product to the cust

I don't understand

[TheRaven64]

One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?

Re:

[110010001000]

They made an app that did it.

Re:I don't understand

[Gravis Zero]

One of the simplest existing known attacks involves [...]. What made this attack now work on mobile devices?

Surprise, they didn't do it that way!

It was previously "speculated that Rowhammer on ARM could be impossible, one of the main reasons being that the ARM memory controller might be too slow to trigger the Rowhammer bug" which is true in most cases like the one you listed. However, one thing they figured out is that they could use "DMA buffers bypass the CPU and its caches" using Android's DMA Buffer Management API.

They did several other things like figure out how to determine the size of the DRAM rows (not uniform on ARM) and create a deterministic way force security-sensitive data int vulnerable rows in a deterministic fashion.

You can read the paper that describes it here: https://vvdveen.com/publications/drammer.pdf [vvdveen.com]

TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

Re:

[blivit42]

TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

I thought I'd add a potentially interesting anecdote to this. The app is not available on the US Google Play Store, as the github readme said may be the case. I downloaded the app directly to my Motorola Droid 2 Turbo (last OS update July 1st, 2016) and installed it. I was surprised to see a warning message pop up "Installation blocked. This app contains code that attempts to bypass Android's security protections." Something in my phone is detecting the potentially malicious code, and I don't think i

Re:

[frovingslosh]

What I don't understand is if this attack is able to root so many different Android systems, why is it still so hard for the device's owner who wants to root his device to actually root it?

Re:

[Altrag]

Its not that hard. A quick Google will find you dozens of pages and Youtube videos showing you how to do it.

The hard part is trusting any of those rooting programs to not be malware themselves. Any time you're doing something that's against the rules (even if not actually illegal,) you'll find a boatload of shady people offering questionable solutions since most "legitimate" sources tend to avoid breaking the rules.

Bug of feature?

[sciengin]

Of course this is a terrible bug for most.
On the other hand it would be awesome if one could incorporate this attack into an app that roots the device without needing to connect it to a PC first.

Re:Bug of feature?

[peragrin]

don't worry they are working on a java script version.

That way they can root your device on the web and load the advertising directly to all of your contacts.

oh wait that's called facebook.

Re:Bug of feature?

[TheRaven64]

Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.

Re:

[ausekilis]

What's new is this is an exploit uses a hardware vulnerability [arstechnica.com], not a software vulnerability. While Ars is lacking specific details, the article reads as though it's a vulnerability in a common type of memory chip (or controller thereof) and doesn't depend on a specific version of Android or Dalvik. That sounds different to me, but I'm no expert.

Re:

[TheRaven64]

Uh, no. All RowHammer attacks use a hardware vulnerability. That's the definition. The JavaScript attack allows you to exploit this vulnerability from a bug-free JavaScript VM, with the only requirement being that it implements TypedArray objects as contiguous (virtual) memory arrays (which is the obvious way of implementing them, and it would be difficult to implement them usefully any other way if you want to use them with WebGL). The only variation is which bits you choose to try to flip with the Row

Re:

[ausekilis]

I learned something today. Time to ask the boss if I can go home ;-).

Re:

[Gravis Zero]

Rowhammer has been usable from JavaScript for ages. [...] I don't know why this attack wouldn't work on mobile devices

Your javascript attack works on x86 systems but not on ARM systems because of how and how fast the memory is accessed. ARM memory controllers just aren't fast enough to trigger the DRAM bug.

I don't really see what's new here.

you should consider reading the research paper [vvdveen.com] before spouting ignorant and misleading comments. :)

Re:

[johanw]

Try Kingroot for that. Then, run a script to replace Kingroot with SuperSU, For most phones this is the easiest root method.

Bugger!

[warewolfsmith]

You Android device is ROOTED :-(

Re:

[Anonymous Coward]

You think you're being all clever here, but the risk isn't that your phone ends up rooted and you get to enjoy the spoils. The risk is that malicious software roots your phone without your knowledge and they enjoy the spoils.

Re:

[TheCarp]

While you are correct, I must confess.... MY first reaction to this was "Oh good, you mean I can root my phone that I bought with my money now"

As much as I hate the implications of this.... and I do.... I also hate that I own a device that is functionally crippled and unable to run many of the apps I would like to run.

Funny ecosystem we have eh?

Re:

[Yo Grark]

Amen. Got a Cat S50 I can't root for the life of me. I need root to remotely help my grandfather who accidentally presses buttons all the time. I got him a great water proof drop proof old age proof phone, but the gas and mileage of physically driving 100 miles to press a stupid button is getting on my nerves!

Yo Grark

Re:

[johanw]

My phone is already rooted, is another process installs a new su binary SuperSU will notice and complain about it.

Oh dear, more military terminology

[Viol8]

A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. So they don't say "enabled" by javascript, no no no, its "weaponised" with "attack vectors" instead of flaws or holes. Its just so lame and wannabe.

Re:

[Anonymous Coward]

Sounds more like marketing speak than anything someone in a basement would find compelling.

Re:

[Maritz]

He's right though. The languge they use to try to make this stuff sound cool is actually just really cringeworthy.

Re:

[Viol8]

Because its nothing like real war "dude".

Re:

[110010001000]

Also the term "researchers" is dubious. What a waste of time this junk is.

Re:

[110010001000]

Waaaah, you mad bro? Sorry I got you so upset.

Re: Oh dear, more military terminology

[DNS-and-BIND]

We don't say "'Nam" any more, Grandpa. Moreover it's the marketroids that come up with these names, not the techies. And seriously, nerd-shaming, on Slashdot? Turn in your geek card, it's revoked by unanimous popular consent.

Re:

[RavenLrD20k]

They provided the direct link to the apk file. Scroll down in the README.md displayed on the github link to the heading "Android GUI app" found here [github.com]. The first line of the paragraph has the phrase "Android app" as a link to the drammer.apk file. You can use this to sideload onto your device and perform the check. They also tried to provide a link to the Google Play page for the app in that section of the doc, however it looks like Google disabled it as against the TOS (link now goes to a 404 page).

All t

Phew, my Galaxy Note 7 is safe!

[Anonymous Coward]

Lucky I upgra

Re:

[mlw4428]

He's just joking. Not every Galaxy Note 7 is having these issues, in fact I just plugged mine in and as you can see it hasn't exp

Does this affect Kindle (FireOS) as well?

[Danathar]

Does anybody know if this affects Amazon Kindle devices since they are an Android Fork?

hardware fix

[sxpert]

time to implement ECC everywhere, period !
it's not like ram is expensive anymore

Re:

[sxpert]

good news !
hope these are not locked to winblows 10

Re:

[fintux]

ECC requires more power (more data to store + data integrity checks to be done), and might also have a bit bigger footprint. I don't know how much more exactly, nor how big portion of the power usage comes from RAM, but in any case, cost isn't the only drawback.

Re:

[sxpert]

the core to do ECC in the memory controller bits of the processor is really small... and doesn't consume much anymore compared to the billions of transistors required for ever bigger cache and logic in those processors... the issue is rather moot

Re:

[Agripa]

Redesigning the memory controller or DRAM is enough to solve the problem; force out of order refreshes on rows adjacent to continuously accessed rows. This is now called Target Row Refresh.

Awesome

[steveo777]

Can't wait until it's up on XDA Developers for the S5 from AT&T, which so far hasn't been able to be rooted, and is the phone my work gave me. Sure it's a free phone and it's a work phone... But I wanna put a different ROM on it, dammit.

Re:

[PincushionMan]

Sorry, those bootloaders are cryptographically signed with keys in either Verizon's or AT&T's possession. These keys preclude the installation of any custom ROMs. Short of an AT&T dev being careless with the crypto-keys, it's not going to happen. In my experience, Samsung phones are pretty beefy. They have to be to run the TouchWiz OS layer on top of Android OS.

If you have an older Samsung phone - for instance the Galaxy S3 - and you have the ability to install a Custom ROM (Cyanogen, Slim, Oxy

Intel SoC

[Frederic54]

No problem with my Asus Zenfone2 with an Intel chip! (I hope)

Well...

[John Smith]

This is just another reason why we need to migrate away from DRAM. It's simply at a fundamental level too easy to exploit this way. We need to move to non-volitile memory, which is more power efficient anyway. Hopefully within a few more years the tech will be there.... I'm most excited about the carbon nanotubes, myself.

Re:

[wildstoo]

They are crackers not researchers damn!

What has their skin colour got to do with it?

Also, the correct term is "economically-disadvantaged caucasians".

Re:Researchers?

[Gravis Zero]

Can we stop calling these fucktards researchers already? They are crackers not researchers damn!

Yeah, I mean, researchers explain their methodology and publish papers about it! These are just the dumbest criminal hackers that put their names on some paper they published! [vvdveen.com] Can't wait until they go to jail for their criminal deeds which they are obviously waiting do in the future! -_-

Takes over Microsoft Edge, like I'm suprised

[Trax3001BBS]

This weekend I used Win10, everytime I wanted to view a PDF; Edge wanted to be the PDF viewer yet has no usable options for that function.

I was using the computer just to view PDF's, I had to select Open With: select Foxit (which came pre-installed) and 5+ requestor to make it the default PDF viewer, this everytime I opened a PDF.

It's an obtrusive sob that I'm sure threw itself into the hack.

Shouldn't they have called it DRAMP?

[tlambert]

Shouldn't they have called it DRAMP?

I can't even root this phone

[Rob MacDonald]

So I have to jump through hoops to try to root my S6 and end up giving up and restoring a backup... but this thing can drive by root it? wtf

Re:

[fintux]

I hope you're just being sarcastic, but in case you're not, ...

- This is a hardware issue, not a programming language problem
- Rust helps to prevent programming bugs with memory, like dangling/null pointers, buffer overflows etc. But it has control over the memory layout, which is a crucial requirement in implementing a row hammer attack, so a row hammer attack with Rust would likely be very suitable for implementing such an attack
- Even if there was a programming language that prevented this by doing s

Re:

[OrangeTide]

Theoretically you could relocate memory periodically in a system like Rust (or Java). This could be done so that the high level doesn't realize it has happened. It might have a fairly heavy performance cost, depending on how frequently the relocations are done and how you detect when you should do them. (scoreboard vs static analysis)

I could write a very simple language/environment where rowhammer is essentially impossible. But it would be very slow. Obvious example is that every address is looked up on a h

From TFA

[Jiro]

Researchers said they don't plan to release the exploit code that weaponizes the Rowhammer attack in order to root Android devices.

Gee, thanks.

There are lots of people who are stuck on unrootable devices and could really use this.

Re:

[slashdice]

LOL, "I asked some crack heads to house sit for me while I'm out of town for a few weeks. I figure if there was a problem they would stop smoking crack and tell me."

Intel patented their fix

[gonz]

Apparently Intel patented their fix on Oct 31, 2013... the exact same day that Nexus 5 shipped in the US:

https://www.google.com/patents... [google.com]

Glad to see the industry came together to protect consumers!