Rowhammer: Researchers claim attack on Android using memory security weakness

Hardware-based attack requires no software vulnerability or user permission

Security researchers will this week demonstrate a new class of hardware-based attacks that, they claim, could enable hackers to acquire root access to Android devices without exploiting any software flaws or requiring user permission.

"The root of the problem is that many memory chips have a hardware vulnerability, known as Rowhammer," Herbert Bos, professor of systems security at Vrije Universiteit Amsterdam in The Netherlands told Computing.

He continued: "It allows attackers to change the content of memory that they should never be able to access. The effect is pure physics, but exploitable from software."

Since the Rowhammer attack was first publicised, attacks against Android devices have provided inconsistent results, with 12 attacks against 15 different Google Nexus 5 devices proving successful, for example, and only one of two attacks against the Samsung Galaxy S5.

Bos's team has also conducted attacks against a variety of other devices, including the Samsung Galaxy S4 and S6, the LG G4 and two different models of Moto G devices, with similarly inconsistent results.

But the team of security researchers led by Bos believe they have now devised an exploit, which they have dubbed 'Drammer', capable of rooting Android devices using a "completely unprivileged app" without the aid of any software bugs.

Drammer is short for 'deterministic Rowhammer', said Bos. "Drammer is the first to show that such deterministic Rowhammer exploitation is possible without relying on fancy memory management features," claimed Bos, in an online explanation of the group's research.

He added: "The new attack technique goes beyond Android and proves that such hardware attacks are feasible in general, and very reliably, on commodity platforms without relying on special software features," said Bos. "It allows attackers to take control over your mobile device by hiding it in a malicious app that requires no permissions."

Bos claims that Drammer is the first Android root exploit that doesn't require a software vulnerability - or user stupidity - to be exploited in order to be effective.

It follows on from Rowhammer-based attacks by the University against Microsoft Edge running on an x86 microprocessor, and even cloud providers.

Bos and his team at Vrije Universiteit Amsterdam will be demonstrating the exploit they have developed in a practical demonstration at a security conference in Vienna, Austria.

"We will show that we can get administrator privileges from a completely unprivileged app without relying on any software bug. Google scrambled to try and fix the problem, but they cannot really do it as the problem is in hardware," Bos told Computing.

The group has developed a Rowhammer simulator, called Hammertime, which is available on Github.

In a paper, the researchers had speculated whether an attack on ARM-based microprocessors would work or not because the 'bit flips' required might be too slow on an ARM-based memory controller.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.