Using Rowhammer bitflips to root Android phones is now a thing

Researchers have devised an attack that gains unfettered "root" access to a large number of Android phones, exploiting a relatively new type of bug that allows adversaries to manipulate data stored in memory chips.

The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the operating system and neuters key security defenses. Equally important, it demonstrates that the new class of exploit, dubbed Rowhammer, can have malicious and far-reaching effects on a much wider number of devices than was previously known, including those running ARM chips.

Previously, some experts believed Rowhammer attacks that altered specific pieces of security-sensitive data weren't reliable enough to pose a viable threat because exploits depended on chance hardware faults or advanced memory-management features that could be easily adapted to repel the attacks. But the new proof-of-concept attack developed by an international team of academic researchers is challenging those assumptions.

An app containing the researchers' rooting exploit requires no user permissions and doesn't rely on any vulnerability in Android to work. Instead, their attack exploits a hardware vulnerability, using a Rowhammer exploit that alters crucial bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers.

No quick fix

"Until recently, we never even thought about hardware bugs [and] software was never written to deal with them," one of the researchers, Victor van der Veen, wrote in an e-mail. "Now, we are using them to break your phone or tablet in a fully reliable way and without relying on any software vulnerability or esoteric feature. And there is no quick software update to patch the problem and go back to business as usual."

So far, "Drammer," as the researchers have dubbed their exploit, has successfully rooted the following handsets: the Nexus 4, Nexus 5, and G4 from LG; Moto G models from 2013 and 2014 made by Motorola; the Galaxy S4 and Galaxy S5 from Samsung; and the One from OnePlus. In some cases, the results aren't always consistent. For example, only 12 of the 15 Nexus 5 models were successfully rooted, while only one of two Galaxy S5 were compromised.

The researchers aren't certain why their results are inconsistent. They theorize that the age of a given device may play a role, since extended or intensive use may wear down cells inside the memory chips over time. Another possibility is that memory chips from some suppliers are more resilient to Rowhammer than others. (It's not uncommon for different generations of the same phone model to use different memory chips.) The researchers expect to soon publish an app that allows people to test their individual phone and anonymously include the results in a running tally that will help researchers better track the list of vulnerable devices. (Update 10/24/2016 6:10 California time: The app still hasn't gone live in Google Play. People who are willing to sideload the app can find it here.)

The researchers privately reported their findings to Google engineers in July, and the company has designated the vulnerability as "critical," its highest severity rating. Google also awarded the researchers $4,000 under the company's bug bounty reward program. Google informed its manufacturing partners of the vulnerability earlier this month and plans to release an update in November, but the researchers warned it doesn't conclusively fix the underlying Rowhammer hardware bug. Instead, it only makes the vulnerability much harder to exploit by restricting an app's access to "physical contiguous kernel memory," as carried out by Drammer.

"I will have to check once the patch is out, but I expect that we could still find bit flips," van der Veen told Ars. "Exploiting them would be harder, but probably not impossible."

Google continues to work on a longer term solution.

The researchers have published two videos that demonstrate Drammer in action against an unrooted LG Nexus 5. For test and research purposes, the phone is connected by USB to a computer, although such a pairing isn't necessary to make the attacks work.

In the first video, the handset is running Android 6.0.1 with security patches Google released on October 5. Beginning around 0:15, Drammer begins hammering memory, and between 0:30 and 0:50, the exploit can be seen writing new entries to the memory's page table, 512 entries at a time. At the 0:50 mark, Drammer obtains root access and opens a shell window that gives complete control over the device.

The second video shows how Drammer can be combined with code that exploits specific Android vulnerabilities, in this one known as Stagefright, which remains unfixed in many older handsets. By adding the Drammer privilege-escalation exploit, an existing code-execution attack can access core parts of the operating system, rather than being confined only to a small section of it, as envisioned under the Android security model.

In the second video, the Stagefright exploit gives the researchers an advanced shell, but it still has only limited system privileges, as evidenced by the inability to access the phone's SD card. By running Drammer, however, the shell gains root access, starting about 3:30 into the video.

Drammer represents a dramatic advance in what's known about Rowhammer. In 2014, researchers first demonstrated that repeatedly accessing data stored in memory chips could flip certain bits, causing certain zeros to become ones and vice versa. The bitflips were viewed by many as more of a data-corrupting threat than one with far-reaching consequences for security. In part, that was because the bit flips were possible only in limited regions of certain DDR memory chips, making it hard to surgically alter specific pieces of security-sensitive data.

The road to exploitation

Then in 2015, researchers for Google's Project Zero showed that in limited settings, Rowhammer could be exploited to elevate user privileges and break out of security sandboxes that protect operating systems from untrusted code. Many researchers continued to downplay the significance of the results, in part because Google responded by updating its Chrome browser to disable the CLFLUSH instruction that was required to make the sandbox escape work. Additionally, critics said error-correcting code and other protections could easily mitigate the threat.

Since then, researchers have slowly advanced the capabilities of Rowhammer, showing, for instance, the bug can be exploited by the type of JavaScript code hosted on websites and can be fine-tuned to alter specific pieces of security-sensitive data using a technique known as flip feng shui.

Flip feng shui, however, still relied on advanced memory-management features that aren't available in most mobile devices and other low-cost platforms. And like all the other Rowhammer exploits that preceded it, it worked only on devices that used chips with an x86 x64 architecture, which are mostly made by Intel and Advanced Micro Devices.

Drammer was devised by many of the same researchers behind Flip Feng Shui, and it adopts many of the same approaches. Still, it represents a significant improvement over Flip Feng Shui because it's able to alter specific pieces of sensitive-security data using standard memory management interfaces built into the Android OS. Using crucial information about the layout of Android memory chips gleaned from a side channel the researchers discovered in ARM processors, Drammer is able to carry out what the researchers call a deterministic attack, meaning one that can reliably target security-sensitive data. The susceptibility of Android devices to Rowhammer exploits likely signals a similar vulnerability in memory chips used in iPhones and other mobile devices as well.