Find out how your Android phone can be hacked using its GPU

Rowhammer is a threat that exploits physical defects in your phone’s memory, breaching its security. Up until now, the threat was thought to be theoretical, meaning that it could not be really used. However, a group of researchers unveiled the power of the exploit, which is able to remotely execute a malicious code on the phone’s GPU.

Rowhammer: uses your phone’s GPU to steal your passwords

This exploit has been dubbed GLitch, and it is the first one that allows to flip individual bits stored in the RAM as opposed to previous exploits that targeted the CPU. Additionally, it is the first Rowhammer attack that uses JavaScript to hack a phone, and it can also be executed in less than two minutes when a user visits a malicious website.

The term Rowhammer is coined because the exploit accesses (hammer) memory blocks (rows) thousands of times per second. By doing this, zeros and ones can be altered at will. The physical defect is created because every DRAM cell is closer to each other, so the electrical interaction with neighboring cells is harder to avoid.

This type of attack has been worked on since 2015. While getting access to the data stored in both the processor cache and RAM is more difficult due to their random nature, the data in the GPU has a more deterministic behavior, which means that it is easier to attack.

The attack’s proof of concept currently works on the Nexus 5, but it could be tweaked to work on any phone and even computers. The threat can only be mitigated through patches, but only a hardware redesign can solve the problem.

It can work on any phone with the Snapdragon 800/801, and it could be used by the NSA and CIA

To see the exploit’s capabilities, researchers reverse engineered the Snapdragon 800/801, which integrates a CPU and GPU like every other mobile SoC. Although it was tested on a Nexus 5, the exploit also works on any phone that uses that processor. If any other SoC is reverse engineered, the exploit can be used on them.

When the code is loaded into Chrome or Firefox for Android on the Nexus 5, it executes whatever the attacker wants, being able to steal passwords, see the history, etc. In fact, by chaining the exploit to Drammer, it is possible to even root the phone. The research was done using Chrome, but researchers decided to switch to Firefox because they knew about its internals and there is more documentation about it.

To be protected against the attack, both Chrome 65 and Firefox 59 (both released in March) integrated some solutions to block GPU-based Rowhammer attacks. For example, both browsers disabled a WebGL extension called EXT_DISJOIN_TIMER_QUERY, which could be used to attack the GPU. Other WebGL functions were redesigned to block this kind of attacks as best as possible.

Pietro Frigo, one of the four researchers, states that his proof-of-concept exploit still works in Firefox 59.0.2. However, the exploit is now less reliable because it has to guess if the targeted memory is contiguous or not.

Google states that some phones already have physical protection against these vulnerabilities, refreshing memory rows if the phone shows signs of being abused. They also detect if there are errors in the bits.

Attacking your phone with this exploit is definitely very difficult and expensive. The ones who could use it are federal agencies like the NSA or CIA for international purposes. This is why major manufacturers are not too worried about solving the problem, although they could start being more careful with their devices after the research is published.