Security Experts:

Android Phones Vulnerable to Remote Rowhammer Attack via GPU

A team of researchers has shown how malicious actors could leverage graphics processing units (GPUs) to launch Rowhammer attacks remotely against Android smartphones.

Rowhammer attacks involve repeatedly accessing a row of memory and causing bit flips in adjacent rows. The issue has been known since at least 2012, but its security implications were first discussed only in 2014, and the first attack was demonstrated in 2015 when Google researchers showed that it could be exploited for privilege escalation.

Other experts later discovered that Rowhammer was remotely exploitable via JavaScript and even demonstrated attacks on mobile platforms, specifically for rooting Android phones. A new variation of the attack presented last year bypassed mitigations proposed up to that point.

Researchers from the VU University in Amsterdam have now shown that the GPU integrated in most mobile processors can also be abused for Rowhammer and other microarchitectural attacks.

Experts demonstrated that JavaScript-based attacks can be launched remotely against web browsers such as Firefox and Chrome on older LG Nexus 5, HTC One M8 and LG G2 smartphones running Android. These devices use the GPU integrated into the Snapdragon 800/801 mobile chips.

The researchers claim their technique, which they have dubbed GLitch, is an improvement to existing CPU attacks, and it can bypass “state-of-the-art” mitigations. Their experiments have shown that the GPU-based Rowhammer attack is reliable and it can be used to compromise a mobile browser in less than two minutes.

“In comparison, even on PCs, all previous Rowhammer attacks from JavaScript require non default configurations (such as reduced DRAM refresh rates or huge pages) and often take such a long time that some researchers have questioned their practicality,” the researchers said in their paper.

“Our GLitch exploit shows that browser-based Rowhammer attacks are entirely practical even on (more challenging) ARM platforms. One important implication is that it is not sufficient to limit protection to the kernel to deter practical attacks, as hypothesized in previous work,” they added.

Ars Technica reported that Chrome 65 and Firefox 59 include mitigations for these types of attacks, and further protections will be rolled out by Google and Mozilla in the upcoming period.

The discovery of the GLitch method is important as it helps software and hardware vendors make their future products more secure, but these types of attacks require significant knowledge and resources and are unlikely to be seen in the wild any time soon.

Related: Intel Offers $250,000 for Side-Channel Exploits

Related: Intel CPUs Vulnerable to New 'BranchScope' Attack

Related: Intel, AMD Chip Vulnerabilities Put Billions of Devices at Risk

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.