Nearly four years have passed since researchers began to experiment with a hacking technique known as "Rowhammer," which breaks practically every security model of a computer by manipulating the physical electric charge in memory chips to corrupt data in unexpected ways. Since that attack exploits the most fundamental properties of computer hardware, no software patch can fully fix it. And now, for the first time, hackers have found a way to use Rowhammer against Android phones over the internet.

On Thursday, researchers in the VUSec research group at Vrije Universiteit in Amsterdam published a paper that details a new form of the Rowhammer attack they call "GLitch." Like previous versions, it uses Rowhammer's trick of inducing electric leaks in memory to change ones to zeros and vice versa in the data stored there, so-called "bit flips." But the new technique can allow a hacker to run malicious code on some Android phones when the victim simply visits a carefully crafted web page, making it the first ever remote, smartphone-targeted implementation of the Rowhammer attack.

"We wanted to see if Android phones were remotely vulnerable to Rowhammer, and we knew the usual techniques wouldn't work,' Pietro Frigo, one of the researchers who worked on the paper. "By triggering bit flips in a very specific pattern we can actually get control over the browser. We managed to get remote code execution on a smartphone."

A Clever New Hammer

Rowhammer attacks work by exploiting not just the usual abstract flaws in software, but also the actual physics inherent in how computers function. When a processor accesses the rows of minuscule cells that carry electric charges to encode data in ones and zeros, some of that electric charge can very occasionally leak out to a neighboring row, and cause another bit to flip from a one to zero, or vice versa. By repeatedly accessing—or "hammering"—the rows of memory on both sides of a target row, hackers can sometimes cause a specific, intended bit flip that changes the exact bit necessary to give them some new access to the system, then use that access to gain deeper control.

'Everyone was completely ignoring the GPU.' Pietro Frigo, Vrije Universiteit

Researchers have pulled off remote Rowhammer attacks on laptops running Windows and Linux before, and more recently VUSec showed that the technique could work on Android phones, too, though only after the attacker had already installed a malicious application on the phone. But the ARM processors inside Android phones include a certain type of cache—a small portion of memory on the processor itself that keeps frequently accessed data handy for efficiency—that makes accessing targeted rows of memory difficult.

To get over that hurdle, the Vrije Universiteit team instead found a method of using the graphics processing unit, whose cache can be more easily controlled to let a hacker hammer target rows without interference. "Everyone was completely ignoring the GPU, and we managed to use it to build quite a fast, remote Rowhammer exploit on ARM devices when that was considered impossible," Frigo says.

From Flipping Bits to Owning Phones

The proof of concept attack the researchers created to demonstrate their technique takes about two minutes, from a malicious site loading their javascript in the browser to running code on the victim's phone. It can only run that code, however, within the privileges of the browser. That means it can potentially steal credentials or spy on browsing habits, but it can't gain deeper access without a hacker exploiting other bugs in the phone's software. And most importantly, for now it targets only the Firefox browser, and phones that run the Snapdragon 800 and 801 systems-on-a-chip—Qualcomm mobile components that includes both CPU and GPU. That means they've only proven it to work on older Android phones like the LG Nexus 5, HTC One M8, or LG G2, the most recent of which was released four years ago.