Bad news for older Android phone version users – dutch researchers from VUSec Lab at Vrije Universiteit in Amsterdam has found a way to hijack mobile devices by performing the newest Rowhammer attack called ‘GLitch’.
Rowhammer exploits are better known as a computer hardware issue, but it is finally making its way through to mobile devices and the worst part is that there is no ‘software patch’ to fix it, since it affects hardware.
Back in October, 2016 same dutch team invented another DRAM’s aka Dynamic Random Access Memory’s (a silicon chip with grid layout memory storage cells) rowhammering attack, called DRAMMER, which allowed to get the ‘root’ access and take over millions of Android mobile devices. However it had a weakness – in order for it to work, victims would need to manually install the malicious application.
Finally after almost two years specialist found a way how to hijack the phones remotely with a JavaScript code. Unlike others GLitch technique leverages embedded graphics processing units (GPUs) instead of CPU to launch the attack. In order for row hammering technique to work, scientists had to figure out how to overcome cache memory which would get in the way preventing a necessary electronic overload on DRAM. Regardless a difficult-to-access ARM processor’s cache inside Android smartphones, GPU’s cache is way easier to control, which helps attacker to hammer targeted DRAM rows without any interference.
One click away from the attack
The victim of GLitch is tricked into visiting a malicious website containing JavaScript code which can hack the device just in under 2 minutes. The attacker can track victim’s browsing data, get personal credentials, but that is the limit because malicious code runs within privileges of the web browser. The code can be executed over Mozilla Firefox and Google Chrome browsers.
The technique is named GLitch with first two letters meaning browser-based graphics code library known as WebGL for rendering graphics to trigger a known glitch in DDR3 and DDR4 memory chips.
Even though only the older versions of Android phones (ex. LG G2, LG Nexus 5, HTC One M8) that run Snapdragon 800 and 801 system on a chip can get affected, no one knows how long will it take for rowhammer exploits to get even more improved and threatening to the new mobile devices.
Dutch researchers are now working together with Google to help mitigating the potential attacks, because if the GLitch rowhammer technique gets used by the wrong people, it will potentially cause really severe, massive damage for smartphone users.
Source: nakedsecurity.com