GLitch attack, Rowhammer attack against Android smartphones now leverages GPU

A team of experts has devised the GLitch attack technique that leverages graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

A team of experts has demonstrated how to leverage graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

By exploiting the Rowhammer attackers hackers can obtain higher kernel privileges on the target device. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

In October 2016, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam devised a new method of attack based on Rowhammer, dubbed DRAMMER attack, that could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices. The greatest limitation of the Drammer attack was the necessity to have a malicious application being installed on the target device.

Now for the first time ever, the same team of experts has devised a technique dubbed GLitch to conduct the Rowhammer attack against an Android phone remotely.

The GLitch technique leverages embedded graphics processing units (GPUs) to launch the attack

“We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to “accelerate”  microarchitectural attacks (i.e., making them more effective) on commodity platforms.” reads the research paper.

“In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript”

The name GLitch comes from a widely used browser-based graphics code library known as WebGL for rendering graphics to trigger a known glitch in DDR memories.

The experts published a GLitch proof-of-concept attack that can exploit the Rowhammer attack technique by tricking victims into visiting a website hosting a malicious JavaScript code to remotely hack an Android smartphone in just 2 minutes.

The malicious script runs only within the privileges of the web browser, which means that the attack could allow to spy on user’s browsing activity or steal users’ credentials.

Experts highlighted that the attack could not allow threat actors to gain the full control over the victim’s device.

GLitch rather than leverage the CPU like other implementation for the Rowhammer technique uses the graphics processing units (GPU).

The researchers have chosen to leverage the GPU because its cache can be more easily controlled, allowing them to hammer targeted rows without any interference.

“While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms” continues the paper.

Affected smartphones run the Snapdragon 800 and 801 system on a chip, this implies that the GLitch attack only works only on older Android devices, including LG Nexus 5, HTC One M8, or LG G2.

The PoC code works against both Firefox and Chrome, the video demo researchers demonstrate the GLitch attack on a Nexus 5 running over Mozilla’s Firefox browser.

The bad news for Android users is that no software patch can mitigate the GLitch attack because it leverages hardware bugs.

Experts warn of potential effects of Rowhammer attacks on a large scale, they are currently helping Google to mitigate the attack.

If you’re interested in more details about the exploit or other technical details I suggest you read the technical walkthrough.

 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Rowhammer, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]