back to article App proves Rowhammer can be exploited to root Android phones – and there's little Google can do to fully kill it

Security researchers have demonstrated how to gain root privileges from a normal Android app without relying on any software bug. The unprivileged application is able to gain full administrative permissions by exploiting the Rowhammer vulnerability present in modern RAM chips. Essentially, malicious code can change the content …

  1. Ken Hagan Gold badge

    If there is a correlation between the physical address that you hammer and the physical address that is affected, then it is certainly possible to imagine a change to the OS's memory manager that avoids placing kernel pages "alongside" user pages. It might be costly, but it could be done.

    But, yeah, even if Google rolls something out, most Android users will never see it because vendors will present it as "one more reason to buy a new phone".

    1. bazza Silver badge

      There's no need to imagine it. Paper written, app published. It's real. Eeek.

      The interesting thing will be to see if any of the memory manufacturers care. The warning signs have been there now for 2 years, not a lot has been done to prevent it I suspect.

      We'll all care if someone manages to construct a piece of mega-malware that makes the attackers a ton of cash at our expense (a dialler, or who knows what sort of attacks are possible against Google Pay).

      1. Mage Silver badge
        Coffee/keyboard

        Reliability

        This suggests that even without malware, there is design flaw, such that data or program in RAM, of the users apps OR the OS can be inadvertently corrupted.

        Even if it didn't lead to an exploit, this RAM flaw needs to be fixed!

        1. Solmyr ibn Wali Barad

          Re: Reliability

          "this RAM flaw needs to be fixed!"

          It was fixed two decades ago. With ECC.

          Then economics kicked in, meaning that we have to settle for non-parity memory in consumer devices.

          1. Danny 14 Silver badge

            Re: Reliability

            ECC is not totally immune to ECC. At best 2 bit errors will halt the system (DoS your server). Some ECC is more susceptible https://www.youtube.com/watch?v=LT54Jq_0kJk#t=26m25s

            1. Solmyr ibn Wali Barad

              Re: Reliability

              Yes, thanks for reminding that. ECC memory definitely opens up a possibility for DoS attacks.

          2. frobnicate

            ECC is entirely irrelevant in this case

            because with Bithammer one can flip correction bits as well. This all has been tried already.

    2. Anonymous Coward
      Anonymous Coward

      There is no software defense possible

      The presence of lack of updates won't matter.

    3. Planty Bronze badge
      Stop

      Errm that is where you are wrong. You can't accidentally install this and accidentally root your device, all Android devices will already warn you about this app. Google have essentially already updated all devices.

      https://postimg.org/image/yhb04ss5t/

      1. Anonymous Coward
        Anonymous Coward

        What about other apps?

        Sure, Google knows about this app, but what if the author of Angry Birds put in something to do this in the background under certain circumstances? How is Google going to know?

        1. MiguelC Silver badge

          Re: What about other apps?

          Or Sony

          (I wonder why I thought of this particular company....)

        2. Anonymous Coward
          Anonymous Coward

          Re: What about other apps?

          I'm guessing by your comment, you have yet to run this app.

          It basically hammers the system, you wouldn't be able to hide this within another app, and what would be the point?

          1. Anonymous Coward
            Anonymous Coward

            Re: you wouldn't be able to hide this within another app

            Surely the author would just make it run when the screen was off and the phone wasn't actively being used?

          2. Rich 11 Silver badge

            Re: What about other apps?

            you wouldn't be able to hide this within another app

            How would the average person know this was an attack rather than a glitch in their game? What would be their response, anyway? Shake the phone and mutter, 'Bloody machine!', most likely.

          3. Anonymous Coward
            Anonymous Coward

            It only needs about 30-40 ms of hammering to exploit

            If it does that intermittently, you probably won't notice.

  2. Anonymous Coward
    Anonymous Coward

    Google told El Reg that it had worked out a software fix...

    designed to mitigate against attacks, which will become available to a minority of handsets that still receive fixes in November, the rest will continue be insecure pieces of crap. FTFY

  3. Bronek Kozicki

    In the long run ...

    ... Google could mandate ECC for Android phone memory. I wouldn't be first when "enterprise feature" leaked down to handsets...

    1. bazza Silver badge

      Re: In the long run ...

      There's no need for ECC. Just making memory chips with better operating margins would do it. Trouble is it's be slower, more power hungry, or both. We're only in this situation because memory designers have been shrinking design margins over the years in the quest to be a bit quicker, a bit more economic.

      1. Roo
        Windows

        Re: In the long run ...

        "There's no need for ECC"

        Parity should be for everyone, not just farmers IMO. :)

        1. bazza Silver badge

          Re: In the long run ...

          "Parity should be for everyone, not just farmers IMO. :)"

          G

          R

          O

          A

          N.

          1. Anonymous Coward
            Anonymous Coward

            ECC is not a defense

            Rowhammer can flip multiple bits, so while it would take longer, the attack is still possible. If the phone's OS monitored corrected ECC errors they could tell something is wrong and kill the app (if it can identify the source) or panic the phone (if not) but ECC won't prevent rowhammer.

            However, LPDDR4 supports an optional capability called target row refresh (TRR) that effectively eliminates the ability to exploit rowhammer. So no need to add ECC, just use LPDDR4 which newer phones have been doing anyway and make sure it supports TRR.

            1. Destroy All Monsters Silver badge

              Re: ECC is not a defense

              Interesting. But in any case, ECC is ALWAYS good to have, too.

            2. Anonymous Coward
              Anonymous Coward

              Re: ECC is not a defense

              You know TRR refresh victim rows (mitigate rowhammer issue)? Cheap phones with LPDDR3 dont have that (essentially 99% of all (low cost-)android devices).

              sorry for bad engurishu :p

            3. xanda

              Re: ECC is not a defense

              Presumably the code in any infected app would be identifiable by it's signature? Would that at least give us mere mortals a half-chance of keeping away from it?

              1. Danny 14 Silver badge

                Re: ECC is not a defense

                Faster refresh will mitigate.

            4. Solmyr ibn Wali Barad

              Re: ECC is not a defense

              "but ECC won't prevent rowhammer"

              Yes it does. Because you have no control over ECC checksum bits during the hammering. Neither for the word being written nor the targetted word.

              If you manage to hammer one bit (without ruining the checksum), then this bit gets quietly corrected on the next read or write. If you change multiple bits, then you cannot set a valid checksum for the new data word, and next R/W operation gives an uncorrectable ECC error - followed by a hard reboot.

              Therefore I seriously doubt that someone can demonstrate successful attacks against ECC memory that is implemented by the book and doesn't have any corners cut.

              1. Solmyr ibn Wali Barad

                Re: ECC is not a defense

                Addendum: hammering ECC memory does make a good DoS attack, because any multi-bit error forces the device into reboot.

                1. P. Lee

                  Re: ECC is not a defense

                  >Addendum: hammering ECC memory does make a good DoS attack, because any multi-bit error forces the device into reboot.

                  But better a reboot than compromise.

                  The DOS attack might be fun and all, but malware is for profit. Remove the profit and you're likely to see the problem mostly go away.

                  Unless the attack is against google by annoying its customers. Even then, without a compromise, you can just deinstall the application.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: ECC is not a defense

                    "But better a reboot than compromise."

                    Not if the reboot ALLOWS the compromise, such as finding a way to sneak something into a boot sequence then forcing a reboot.

            5. bazza Silver badge

              Re: ECC is not a defense

              @DougS,

              However, LPDDR4 supports an optional capability called target row refresh (TRR) that effectively eliminates the ability to exploit rowhammer. So no need to add ECC, just use LPDDR4 which newer phones have been doing anyway and make sure it supports TRR.

              Interesting. Earlier I speculated that the memory industry hadn't done much to mitigate against rowhammer. Seems I wasn't entirely correct.

              This 'optional' feature, I wonder if it's an optional part of the LPDDR4 specification, or a compulsory part of the specification that CPUs can optionally exploit if they want to? Either way, 'optional' sounds like someone somewhere wants to make a fast buck and who cares what the consequences for customers end up being. Booo.

              Not for the first time I find myself wishing that the tech industry would take a leaf out of other industries' books. For example Rolls Royce, Pratt & Witney and General Electric are deadly serious competitors, yet they will (and have) drop everything to help out a competitor if they run into a serious safety issue. Reason? Everyone benefits from safer engines, and means a bigger market for everyone. The aviation industry is consequently very safe.

              [Apart from the mathematically very dubious decision to allow the EC225 Super Puma helicopter to continue flying with a suspect gearbox so long as it was thoroughly inspected after every flight. I say dubious, because whatever calculation was performed to arrive at 1 flight per inspection cannot reasonably have had zero error bars... It took another fatal crash to get it grounded]

              In contrast, too often in the tech sector one company's security fails are seen as another's marketing opportunity.

              TRR is optional? Great, thanks guys, thanks for not helping out. Whatever caused that to happen should be been resolved in the standard long before it was published, even if that meant company A giving company B money and assistance to bring that about.

  4. jake Silver badge

    "exploiting the Rowhammer vulnerability present in modern RAM chips"

    ITYM "exploiting the capability of inducing disturbance errors, present in every DRAM chip ever made". (yes, I know, there are hardware solutions to this problem, but those solutions are all external to the DRAM itself.)

    1. Destroy All Monsters Silver badge

      Re: "exploiting the Rowhammer vulnerability present in modern RAM chips"

      Yes jake you have been doing this since the 70s with the 64KBit mainframes, we know.

      1. jake Silver badge

        Re: "exploiting the Rowhammer vulnerability present in modern RAM chips"

        The mainframe in the lab was a PDP10, usually running TOPS10. It had core memory, not DRAM, and thus wasn't affected. Which should be obvious to anyone with half a clue about mainframes of the era.

        The system I used to help evaluate the "induced disturbance error" threat for DEC was a PDP11 with a pilot-build DRAM retrofit replacing the stock core. At the time, this setup ran either UNIX v6 or a BSD 1.0 rc, depending on the need of the moment. Why me? Wrong place at the wrong time, as usual ...

  5. Gene Cash Silver badge

    Doesn't work on my Nexus 6P

    At the default setting, it's unable to crack my phone. If I raise the setting, it crashes. And I'm still running Android 6.0.1.

    Looking at the ADB log, it seems the OS gets pissed about something and kills it, but I can't figure out why.

    1. bazza Silver badge

      Re: Doesn't work on my Nexus 6P

      I did wonder about trying it on my BlackBerry Z30, see if the Linux system call shim present in BB10 is good enough to run it, and have it succeed.

      Then I decided that a pint was a far more interesting prospect...

  6. Steve Davies 3 Silver badge

    I'm sure a lot or people would like to know

    Does this also affect Apple?

    If the fruity company's kit is vulnerable then their influence on the Ram makers might get a fix for everyone.

    1. Mage Silver badge

      Re: I'm sure a lot or people would like to know

      It should be independent of OS, and essentially barely fixable in existing phones. It's a design issue of the physical RAM implementation.

      I wonder what is the difference with the phones that are not affected?

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm sure a lot or people would like to know

      The iPhone 6 and older are probably vulnerable, though iOS is more restrictive about how it allocates memory for apps so it would be more of a pain to develop an attack but I'm pretty sure it is still possible. The newer iPhones use LPDDR4 and implement TRR, and are safe.

      Hopefully Apple's app approval process would catch an app that tries to do this, but I have no idea.

      Getting "root" on an iPhone 6 or 5S doesn't give you access to everything though, since the secure enclave manages encryption keys. The secure enclave uses encrypted memory, which is not vulnerable to rowhammer (because the address lines are scrambled, there is no way to tell which rows are adjacent to attempt an attack)

  7. David Austin

    ASLR

    Wouldn't Address space layout randomization be a mitigating technique? If it relies on manipulating next door bits, would shuffling them up help? Or is it a case that this is so level, you can't move this stuff around without the phone and apps noticing?

    1. MondoMan

      Re: ASLR

      I think there was a recent report about defeating ASLR by looking at the addresses in the branch address cache and matching those with the known structure of the OS, thus figuring out the current OS layout in memory.

      1. Danny 14 Silver badge

        Re: ASLR

        VMs with dynamic memory allocation should also help as the hypervisor wont be mapping memory sequentially.

      2. Dinsdale247

        Re: ASLR

        ASLR is not worth the electrons it was written in:

        http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

        Conversely, it doesn't help that this is The Linux Kernel Maintainer's attitude towards kernel level security:

        http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/

        Just sayin.

        1. bazza Silver badge

          Re: ASLR

          @Dinsdale247,

          "Conversely, it doesn't help that this is The Linux Kernel Maintainer's attitude towards kernel level security:"

          Whoa, hang on a moment. I'm not a fan of Linus, but he's got a point. If you go and misuse the Linux kernel (as a very large number of people do) that's your problem, not his. It's not his job to decide whether Linux is appropriate for your Web server, router, nuclear power station, etc. Linux is free of cost, you have no contract with him.

          If you want something 100% secure, whatever that means, look elsewhere. And good luck.

        2. Destroy All Monsters Silver badge

          Re: ASLR

          > http://www.washingtonpost.com/sf/business/

          Uh, oh.

          WaPo polticis is shit already, no look to deeper into the "paper of record" eructions.

      3. bazza Silver badge

        Re: ASLR

        I think there was a recent report about defeating ASLR by looking at the addresses in the branch address cache and matching those with the known structure of the OS, thus figuring out the current OS layout in memory.

        On Intel Haswell CPUs, not on ARMs.

  8. PunkTiger
    Flame

    So...

    ...another Android vulnerability that can get all the privileges and raise all kinds of havoc, yet I can't even find how root a cheap-arsed Chinese Android tablet to remove the pre-trojaned version of the OS so I can install a clean version. All the help guides out there to do that doesn't seem to exactly cover the tablet I have.

    Perhaps someone can make an Android vuln that can root your device so you can actually do something positive with the OS. That would be a switch.

    Sorry. Just venting.

    1. Anonymous Coward
      Anonymous Coward

      Re: So...

      Have you tried kingoroot?

      1. Charles 9 Silver badge

        Re: So...

        kingoroot doesn't provide custom ROMs, which is what he's looking for.

        The problem he has is that these cheapo Android phones have no user community behind them. WIthout them, custom ROMs jus don't happen. I happen to own two cheap Chinese Android devices, neither of which have strong user support and thus are stuck on their crappy stock configurations.

        If you want to put a custom ROM onto your device, don't go for a Chinese Cheapo. It may be more expensive, but bona fide devices at least have enough people using AND customizing them to make them worthwhile.

  9. Planty Bronze badge
    Stop

    Why is android singled out (again)?

    Seems this COULD affect any device, windows, Linux, android and more...

    That said, I have not managed to get it to do anything on my devices, so I suspect yet again, more hidden agenda from a security "expert" that conveniently forgets to use the word "potential"...

    Anyone actually get a positive result from this? Screenshot....

    1. Zippy's Sausage Factory

      Re: Why is android singled out (again)?

      Because it's much easier to get hold of a cheap victim Android device and it doesn't hurt the wallet so much if you totally destroy it in the course of testing?

      I suppose that means they're using one of Android's key selling points against itself, then. Hmm...

    2. sabroni Silver badge

      Re: Why is android singled out (again)?

      Searching for rowhammer using el Reg's search gives 4 articles apart from this one, one about VMs, one about MS Edge, one about ram and one about Linux.

      A Google planty perhaps?

  10. BinkyTheMagicPaperclip

    Not sure if we should worry

    I was holding off on buying a new system until there was one demonstrated to be rowhammer proof, but looking around it seems the few people actually testing this are finding it difficult to replicate on other systems.

    Outside of the exploit researchers, practically no-one is testing this, and those that are aren't seeing many failures.

    This is a good thing, because I'm about to buy a load of DDR3 ECC..

  11. RyokuMas Silver badge
    Devil

    What are the odds...

    "“Google scrambled to try and fix the problem, but they cannot really do it as the problem is in hardware,"

    Odds on the pixel phone not being vulnerable and giving Google another way to undercut the competition?

    1. Charlie Clark Silver badge

      Re: What are the odds...

      Yeah, because Google now designs its own memory chips…

  12. Nano nano

    And other platforms ?

    So, which of the Apple iPhones are vulnerable to this, given that it's a DRAM issue ?

  13. rtb61

    Root Should Be Accesible

    So let me get this straight, root on an Android phone is easy, so why the hell is this not a setting. Why can't consumers actually own their phones, bugger off asshats, I want root as default.

    1. Anonymous Coward
      Anonymous Coward

      Re: Root Should Be Accesible

      Because many apps are root-aware and wont work with it on, plus there's the matter of Android Pay and other apps that require a trusted environment. You may own the hardware, but NOT the software, and if all that software has strings attached...

      And before you say Android Pay is bogus, consider this could mean people don't have to take their wallets with them everywhere. A stolen phone is usually locked, Android Pay doesn't work unless UNlocked, but a stolen wallet is almost a sure ticket to full-out identity theft.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021