The Rowhammer bug that can threatens millions of Android devices: Experts reveal 'bit flip' flaw that attacks memory chips

  • Experts created an attack that uses an existing bug called  Rowhammer
  • Called Drammer, it takes advantage of handset's RAM chips weak design
  • It installs an app in the phone, which then lets hackers control hardware 
  • 27 Android handsets from different manufactures were tested
  • Successfully rooted specific Nexus, Moto G, Samsung OnePlus handsets

By Stacy Liberatore For Dailymail.com

Published: 18:48 EST, 24 October 2016 | Updated: 19:03 EST, 24 October 2016

Researchers have devised a new method that infiltrates Android devices without exploiting software vulnerabilities.

Dubbed Drammer, this attack employs an existing bug known as Rowhammer and takes advantage of RAM chips' weak physical design – allowing hackers to easily alter memory.

This app doesn't require permission for installation, which gives cyber criminals access to millions of Android handsets including devices from Google, Samsung, LG and Motorola.

Scroll down for video 

Drammer is an attack that employs an existing bug known as Rowhammer and takes advantage of RAM chips' weak physical design. Pictured is an LG Nexus 5 at the moment it is rooted using Rowhammer-induced bit flips

IS YOUR PHONE AFFECTED? 

The researchers tested 27 Android devices from different manufacturers, 21 using ARMv7 (32-bit) and six using ARMv8 (64-bit) architectures.

They managed to flip bits on 17 of the ARMv7 devices and one of the ARMv8 devices, which means they are vulnerable to the attack.

The team successfully rooted the following handsets: the Nexus 4, Nexus 5, and G4 from LG; Moto G models from 2013 and 2014 made by Motorola; the Galaxy S4 and Galaxy S5 from Samsung; and the One from OnePlus.

However, they also found that the results were inconsistent - only 12 of the 15 Nexus 5 models were successfully rooted, while only one of two Galaxy S5 were compromised.

This vulnerability derives from the push so many manufactures make to add more dynamic random-access memory (DRAM) capacity onto the every decreasing chips.

'Our work is the first to show that Rowhammer is possible on mobile, ARM-based hardware,' said researchers in the VUSec Lab at Vrije Universiteit Amsterdam in a report.

'Drammer is the first Android root exploit that relies on no software vulnerability and is an instance of the Flip Feng Shui exploitation technique.'

Rowhammer is a hardware bug that lets hackers alter data in the electronic's memory without actually accessing - it does so by reading its location.

The new attack developed by researchers does not require the user's permission, allowing it to inconspicuously install the targeted app, reports Ars Technica.

Rowhammer changes certain bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers.

HOW DRUMMER WORKS?

Researchers have developed a new attack called Drammer.

This app employs an existing hack known as Rowhammer

Rowhammer is a hardware bug that lets hackers alter the data in memory without actually accessing it by reading its location.

An app containing the researchers' rooting exploit requires no user permissions and doesn't rely on any vulnerability in Android to work. 

Rowhammer changes certain bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers. 

'Until recently, we never even thought about hardware bugs [and] software was never written to deal with them,' one of the researchers, Victor van der Veen, wrote Dan Goodin with Ars Technica in an e-mail.

'Now, we are using them to break your phone or tablet in a fully reliable way and without relying on any software vulnerability or esoteric feature.'

'And there is no quick software update to patch the problem and go back to business as usual.'

This app doesn't require permission for installation, which could give cyber criminals access to millions of Android handsets including Nexus, Samsung, LG (pictured is the LG G4 that was compromised during experiments) and Motorola.

The researchers tested 27 Android devices from different manufacturers, 21 using ARMv7 (32-bit) and six using ARMv8 (64-bit) architectures.

They managed to flip bits on 17 of the ARMv7 devices and one of the ARMv8 devices, which means they are vulnerable to the attack.

The team successfully rooted the following handsets: the Nexus 4, Nexus 5, and G4 from LG; Moto G models from 2013 and 2014 made by Motorola; the Galaxy S4 and Galaxy S5 from Samsung; and the One from OnePlus.

However, they also found that the results were inconsistent - only 12 of the 15 Nexus 5 models were successfully rooted, while only one of two Galaxy S5 were compromised.

Researcher say they notified Google about the vulnerabilities on July 25, however, it is believed that Google did not notify their hardware partners about the flaws until October 2.

The new attack developed by researchers does not require the user's permission, allowing it to inconspicuously install the targeted app. It allows hackers to alter memory, on a Samsung Galaxy S5 for example, without actually accessing it

BE ON THE LOOK OUT 

An investigation by Israeli security analyst Gal Beniamini found Android devices using full disk encryption and running Qualcomm processors were most at risk.

According to Beniamini's analysis, the vulnerabilities are down to a combination of factors, namely how the processors verify security and the Android kernels – the core operating system.

It could leave millions of Android users open to so called 'brute force attacks' – where hackers overwhelm security measures using a persistent trial and error approach.

Google and Qualcomm have worked to release security patches, but Beniamini advises hardware upgrades may be required to fix the issue.

The Android Security team said it would issue a partial fix for the flaw (CVE-2016-6728) with its November security bulletin.

Researchers explained that Google's patch will make it much harder for an attacker to launch a Drammer attack, but it does not eradicate it.

'We hope to see a more sophisticated fix soon,' according to researchers.

The team has also developed a separate app that tests devices for the Raowhammer bug, which also allows them to share their results. 

This app uses a native binary for which we also released the source code and uploads anonymized output. 

Drammer was a collaboration with the University of California, Santa Barbara hwo showed how Stagefright mitigation techniques can be easily bypassed using a Drammer attack.

'By tricking the victim into opening a malicious URL, an attacker gains remote shell access to the vulnerable device,' the researchers wrote. 

'Since the exploited mediaserver is not running with root-privileges, however, he still cannot access /sdcard, for example.  

'The attacker then launches the Drammer exploit which does give him full control over the device.' 

Comments (8)

Share what you think

The comments below have not been moderated.

The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.

We are no longer accepting comments on this article.

Who is this week's top commenter? Find out now