On Thursday, researchers in the VUSec research group at Vrije Universiteit in Amsterdam published a paper that details a new form of the Rowhammer attack they call "GLitch." Like previous versions, it uses Rowhammer's trick of inducing electric leaks in memory to change ones to zeros and vice versa in the data stored there, so-called "bit flips." But the new technique can allow a hacker to run malicious code on some Android phones when the victim simply visits a carefully crafted web page, making it the first ever remote, smartphone-targeted implementation of the Rowhammer attack.

Known since at least 2012, the issue was first exploited by Google's Project Zero researchers in early 2015, when they pulled off remote Rowhammer attacks on computers running Windows and Linux.

Last year, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam demonstrated that the Rowhammer technique could also work on Android smartphones, but with a major limitation of a malicious application being first installed on the target phone.

However, the same team of researchers has now shown how their proof-of-concept attack "GLitch," can exploit the Rowhammer attack technique simply by hosting a website running malicious JavaScript code to remotely hack an Android smartphone under just 2 minutes, without relying on any software bug.

Since the malicious code runs only within the privileges of the web browser, it can spy on user's browsing pattern or steal their credentials. However, the attacker cannot gain further access to user's Android phone.

Here's How GLitch Attack Works

Currently, GLitch targets smartphones running the Snapdragon 800 and 801 system on a chip—that includes both CPU and GPU—meaning the PoC works only on older Android phones like the LG Nexus 5, HTC One M8, or LG G2. The attack can be launched against Firefox and Chrome.
In a video demonstration, the researchers show their JavaScript-based GLitch attack on a Nexus 5 running over Mozilla's Firefox browser to gain read/write privileges, giving them the ability to execute malicious code over the software.
"If you're wondering if we can trigger bit flips on Chrome the answer is yes, we can. As a matter of fact, most of our research was carried out on Chrome," the researchers said. "We then switched to Firefox for the exploit just because we had prior knowledge of the platform and found more documentation."
No Software Patch Can Fully Fix the Rowhammer Issue
Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers say the Rowhammer threat is not only real but also has the potential to cause some real, severe damage.
Although there's no way to fully block an Android phone's GPU from tampering with the DRAM, the team has been working with Google on ways to solve the problem.
For more in-depth details on the new attack technique, you can head on to this informational page about GLitch and this paper [PDF] published by the researchers

Leave a Reply

Your email address will not be published. Required fields are marked *