Rowhammer memory attack can root Android phones in seconds
Smartphones from LG, Samsung and Motorola are all vulnerable to an attack that makes it possible to gain root access in a matter of seconds. Known as Rowhammer, the attack works using a bit flipping technique that exploits a vulnerability in the design of RAM chips.
Because the attack takes advantage of a physical aspect of design, it is going to be difficult to quickly devise a fix. In the meantime, millions of smartphones are at risk of compromise in what could be as large an issue as the recently-discovered Dirty COW bug -- and there's an app you can use to check if you are at risk.
Google is expected to release a security update for Android in November that will make the bug harder to exploit, but it will not eliminate the problem completely. The exploit works when an attacker successfully manipulates bit values using a 'hammering' technique -- rapidly accessing the same locations of memory time and time again. This can cause an electric charge leak resulting in adjacent memory cells being altered.
In an email to Ars Technica, one of the researchers who discovered the vulnerability, Victor van der Veen, said:
Until recently, we never even thought about hardware bugs [and] software was never written to deal with them. Now, we are using them to break your phone or tablet in a fully reliable way and without relying on any software vulnerability or esoteric feature. And there is no quick software update to patch the problem and go back to business as usual.
A paper published by van der Veen and others entitled Drammer: Deterministic Rowhammer Attacks on Mobile Platform explains how the Rowhammer attack can be used on ARM and x86 architectures -- with ARM being even easier. The researchers were able to create an app that exploited the Rowhammer technique to run with root accessed without the need for special permissions.
If you want to check to see your phone is vulnerable, details of the testing app can be found on Github.