Even the biggest Luddite knows to download updates for his apps and phone. That ensures that the software isn’t vulnerable to easily avoided attacks. Research into a different type of vulnerability, though, has recently shown that manipulating the physical properties of hardware can pose a different digital threat—one that can’t be patched with software alone. Now, researchers in Amsterdam have demonstrated how this type of hack can allow them, and potentially anyone, to take control of Android phones.
The vulnerability, identified by researchers in the VUSec Lab at Vrije Universiteit Amsterdam, targets a phone’s dynamic random access memory using an attack called Rowhammer. Although the attack is well-known within the cybersecurity community, this is the first time anyone’s used it on a mobile device. It’s troubling because the so-called DRAMMER attack potentially places all data on an Android phone at risk.
“The attacks that we are publishing now show that we need to think differently about how we protect software,” says Victor van der Veen, one of the researchers involved in the work. “A thing like Rowhammer shows that at any given time a trap can come up that nobody ever thought of.”
The group disclosed its findings to Google three months ago, and the company says it has a patch coming in its next security bulletin that will make the attack much harder to execute. But you can’t replace the memory chip in Android phones that have already been sold, and even some of the software features DRAMMER exploits are so fundamental to any operating system that they are difficult to remove or alter without impacting the user experience.
In other words, this isn’t easy to fix in the next generation of phones much less existing ones.
The Dutch research group had worked on Rowhammer attacks before, and shown they could target data stored in the cloud, and other computer scientists have worked in this area as well. But no one had tried attacking a phone. “When we started doing this people openly had questioned whether Rowhammer would even be possible on mobile chips because they have a different architecture,” says researcher Cristiano Giuffrida.
The attack involves executing a program that repeatedly accesses the same “row” of transistors on a memory chip in a process called “hammering.” This can eventually lead that row to leak electricity into the next row, causing a bit, which only has two possible positions, to “flip.” Since bits encode data, this small change alters that data, however slightly, creating a foothold for gaining more and more control over the device. But it must be just the right foothold, and that’s why building on the group’s previous precision Rowhammer research was so crucial.
In the new Android attack, the first step was seeing whether it was even possible to flip bits on mobile phones. The researchers started by attempting Rowhammer attacks on Android phones they had root access to, and quickly observed flipped bits on test devices like the Nexus 5. Some memory chips are more resilient than others, and variables like age and temperature impact how easy it is to flip bits. Ultimately, though, flipped bits showed up in 18 of the 27 handsets they tested. The proof of concept led them to try flipping bits on phones they did not have root access to, and here, too, they succeeded.
As the group envisioned it, the DRAMMER attack would start with a victim downloading a seemingly innocuous app laced with malware to execute the hack. The researchers decided that their app would not request any special permissions—to avoid raising suspicion—and therefore would have the lowest privilege status possible for an app. This made accessing the dynamic random access memory (DRAM) difficult, but the researchers found an Android mechanism called the ION memory allocator that gives every app direct access to the DRAM. The ION memory allocator also had the added benefit of allowing the group to identify contiguous rows on the DRAM, an important factor for generating targeted bit flips. “This is as reliable and deterministic as it gets,” Giuffrida says.
Once the researchers knew they could flip a bit, they had to figure out how to use that to achieve root access—giving them full control of the handset and the ability to do everything from access data to take pictures. The technique, which they call “memory massaging,” uses the resources all Android apps are given to reorganize what’s on the memory in inconspicuous ways that won’t alert the system to tampering. The researchers essentially filled up portions of the memory with data, being careful not to do it in a way that would potentially cause the app to be “killed” by the resource manager. The goal was to occupy enough memory that the allocator would become predictable and be forced to add to the memory in a position the researchers had chosen.
Once they had cornered the allocator such that they could control where it would place the next thing that came along, they could present some data from the app knowing that the allocator would put it on a portion of the memory where they could definitely hammer and produce bit flips. From the app they would only be able to generate data allowed by the lowest permission status, but once lined up perfectly on a vulnerable region, the researchers could flip a crucial bit to give the data more privileged characteristics. At that point they could start manipulating their data to move up the hierarchies of the operating system and take over the phone. It’s a clever moment in the hack, but also a deeply troubling one as everything comes together to escalate one tiny altered bit into widespread control of a device.
Once someone downloads the malicious app, DRAMMER can take over a phone within minutes–or even seconds—and runs without any indication. The victim can interact with the sham app, switch to other apps, and even put the phone in “sleep” mode and the attack continues running. If you’re feeling nervous, the researchers built a second app that you can use to check whether your Android phone’s memory chip is susceptible to bit flips (and they promise they won’t take over your phone in the process).
This research looks at Android rather than iOS because Google’s operating system is based on Linux, which the researchers are intimately familiar with. But they say it would, in theory, be possible to replicate the attack in an iPhone with additional research. “What DRAMMER shows is that this attack is concerning for widespread commodity platforms,” Giuffrida says. “The design is very general and applies not just on mobile platforms but perhaps even in the cloud, even in the browser on desktop computers. So the impact of this attack is much broader than just mobile phones.”
Still, an exploit that can target the majority of the world’s Android phones seems mighty broad.