Researchers have developed a new version of a hardware-based attack that can compromise an Android phone through the browser using a technique that can flip bits in memory by causing small electrical charge leaks in a chip. The attack is an innovative twist on a known method, but it likely isn’t an imminent threat for most Android owners.
“These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to- end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives.”
The researchers said that most typical users likely won’t see this kind of attack targeting them anytime soon. There is a long list of other attack vectors that are simpler to execute and take far less effort.
“For general users I believe for now this is not a real threat. The likelihood of an attacker exploiting such an advanced exploitation vector is relatively low as of now. It all boils down to simple cost function for the attacker. There's no point to waste time in developing such a complex exploit when you can use lower hanging fruits,” said Pietro Frigo, one of the authors of the paper.
“However, things are changing rapidly. Until last year everyone believed that a remote Rowhammer attack would have taken hours. Now we've proven that it is possible to do it in few minutes (best case scenario under 1 min) on mobile platforms where it was considered completely unfeasible. So this should be seen as the proof of concept that it actually is.”
“As of now there's no software-based mitigation that completely stops the attack."
Rowhammer attacks are highly technical and reliant on the ability to access certain areas of memory over and over again. By doing so, an attacker, under certain circumstances, can cause small electrical charges to leak from the memory locations around a target location, which can in turn cause that bit to change its state. The attack that the team at Vrije University developed allows them to use Rowhammer to exploit a remote user who visits a malicious web site in Firefox on an Android phone. The GLitch attack, as the researchers call it, uses the WebGL library to help build what they call “timing primitives” to get past the security defenses on the phone’s chips, and then determine which specific memory locations they want to target.
In terms of defenses, Frigo said fixing the Rowhammer problem in general and the attack his team developed requires hardware-based mitigations. Both Mozilla, which makes Firefox, and Google, which maintains the Android code base, have made some changes to mitigate the new exploit, but they don’t completely prevent the GLitch attack.
“As of now there's no software-based mitigation that completely stops the attack. Both Firefox and Chrome deployed mitigations against the timing side-channel attack first step of our attack. These consisted in disabling a specific timer extension (EXT_DISJOINT_TIMER_QUERY) and partially fixing the WebGL specification to make it harder to build high precision timers,” Frigo said.
“However, for now no step has been taken to make it impossible to trigger bit flips from the GPU. We're still communicating with Google about possible solutions. Bottom line, Rowhammer should be fixed in hardware. And while there are some proposed mitigations in hardware (TRR specifically for rowhammer and ECC more in general for memory errors) their effectiveness still need to be proved.”