Hardware Bit-Flipping Attacks in Practice

A year and a half ago, I wrote about hardware bit-flipping attacks, which were then largely theoretical. Now, they can be used to root Android phones:

The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the operating system and neuters key security defenses. Equally important, it demonstrates that the new class of exploit, dubbed Rowhammer, can have malicious and far-reaching effects on a much wider number of devices than was previously known, including those running ARM chips.

Previously, some experts believed Rowhammer attacks that altered specific pieces of security-sensitive data weren't reliable enough to pose a viable threat because exploits depended on chance hardware faults or advanced memory-management features that could be easily adapted to repel the attacks. But the new proof-of-concept attack developed by an international team of academic researchers is challenging those assumptions.

An app containing the researchers' rooting exploit requires no user permissions and doesn't rely on any vulnerability in Android to work. Instead, their attack exploits a hardware vulnerability, using a Rowhammer exploit that alters crucial bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers.


Drammer was devised by many of the same researchers behind Flip Feng Shui, and it adopts many of the same approaches. Still, it represents a significant improvement over Flip Feng Shui because it's able to alter specific pieces of sensitive-security data using standard memory management interfaces built into the Android OS. Using crucial information about the layout of Android memory chips gleaned from a side channel the researchers discovered in ARM processors, Drammer is able to carry out what the researchers call a deterministic attack, meaning one that can reliably target security-sensitive data. The susceptibility of Android devices to Rowhammer exploits likely signals a similar vulnerability in memory chips used in iPhones and other mobile devices as well.

Here's the paper.

And here's the project's website.

Posted on October 27, 2016 at 2:23 PM5 Comments

Malicious AI

It's not hard to imagine the criminal possibilities of automation, autonomy, and artificial intelligence. But the imaginings are becoming mainstream -- and the future isn't too far off.

Along similar lines, computers are able to predict court verdicts. My guess is that the real use here isn't to predict actual court verdicts, but for well-paid defense teams to test various defensive tactics.

Posted on October 26, 2016 at 6:38 AM37 Comments

UK Admitting "Offensive Cyber" Against ISIS/Daesh

I think this might be the first time it has been openly acknowledged:

Sir Michael Fallon, the defence secretary, has said Britain is using cyber warfare in the bid to retake Mosul from Islamic State. Speaking at an international conference on waging war through advanced technology, Fallon made it clear Britain was unleashing its cyber capability on IS, also known as Daesh. Asked if the UK was launching cyber attacks in the bid to take the northern Iraqi city from IS, he replied:

I'm not going into operational specifics, but yes, you know we are conducting military operations against Daesh as part of the international coalition, and I can confirm that we are using offensive cyber for the first time in this campaign.

Posted on October 24, 2016 at 2:12 PM36 Comments

How Different Stakeholders Frame Security

Josephine Wolff examines different Internet governance stakeholders and how they frame security debates.

Her conclusion:

The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes these debates significant and unique in the context of internet governance is not that the different stakeholders often disagree (indeed, that is a common occurrence), but rather that they disagree while all using the same vocabulary of security to support their respective stances. Government stakeholders advocate for limitations on WHOIS privacy/proxy services in order to aid law enforcement and protect their citizens from crime and fraud. Civil society stakeholders advocate against those limitations in order to aid activists and minorities and protect those online users from harassment. Both sides would claim that their position promotes a more secure internet and a more secure society -- ­and in a sense, both would be right, except that each promotes a differently secure internet and society, protecting different classes of people and behaviour from different threats.

While vague notions of security may be sufficiently universally accepted as to appear in official documents and treaties, the specific details of individual decisions­ -- such as the implementation of dotless domains, changes to the WHOIS database privacy policy, and proposals to grant government greater authority over how their internet traffic is routed­ -- require stakeholders to disentangle the many different ideas embedded in that language. For the idea of security to truly foster cooperation and collaboration as a boundary object in internet governance circles, the participating stakeholders will have to more concretely agree on what their vision of a secure internet is and how it will balance the different ideas of security espoused by different groups. Alternatively, internet governance stakeholders may find it more useful to limit their discussions on security, as a whole, and try to force their discussions to focus on more specific threats and issues within that space as a means of preventing themselves from succumbing to a façade of agreement without grappling with the sources of disagreement that linger just below the surface.

The intersection of multistakeholder internet governance and definitional issues of security is striking because of the way that the multistakeholder model both reinforces and takes advantage of the ambiguity surrounding the idea of security explored in the security studies literature. That ambiguity is a crucial component of maintaining a functional multistakeholder model of governance because it lends itself well to high-level agreements and discussions, contributing to the sense of consensus building across stakeholders. At the same time, gathering those different stakeholders together to decide specific issues related to the internet and its infrastructure brings to a fore the vast variety of definitions of security they employ and forces them to engage in security-versus-security fights, with each trying to promote their own particular notion of security. Security has long been a contested concept, but rarely do these contestations play out as directly and dramatically as in the multistakeholder arena of internet governance, where all parties are able to face off on what really constitutes security in a digital world.

We certainly saw this in the "going dark" debate: e.g. the FBI vs. Apple and their iPhone security.

Posted on October 24, 2016 at 6:03 AM14 Comments

DDoS Attacks against Dyn

Yesterday's DDoS attacks against Dyn are being reported everywhere.

I have received a gazillion press requests, but I am traveling in Australia and Asia and have had to decline most of them. That's okay, really, because we don't know anything much of anything about the attacks.

If I had to guess, though, I don't think it's China. I think it's more likely related to the DDoS attacks against Brian Krebs than the probing attacks against the Internet infrastructure, despite how prescient that essay seems right now. And, no, I don't think China is going to launch a preemptive attack on the Internet.

Posted on October 22, 2016 at 8:47 AM67 Comments

Friday Squid Blogging: Which Squid Can I Eat?

Interesting article listing the squid species that can still be ethically eaten.

The problem, of course, is that on a restaurant menu it's just labeled "squid."

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

EDITED TO ADD: By "ethically," I meant that the article discusses which species can be sustainably caught. The article does not address the moral issues of eating squid -- and other cephlapods -- in the first place.

Posted on October 21, 2016 at 4:00 PM150 Comments

President Obama Talks About AI Risk, Cybersecurity, and More

Interesting interview:

Obama: Traditionally, when we think about security and protecting ourselves, we think in terms of armor or walls. Increasingly, I find myself looking to medicine and thinking about viruses, antibodies. Part of the reason why cybersecurity continues to be so hard is because the threat is not a bunch of tanks rolling at you but a whole bunch of systems that may be vulnerable to a worm getting in there. It means that we've got to think differently about our security, make different investments that may not be as sexy but may actually end up being as important as anything.

What I spend a lot of time worrying about are things like pandemics. You can't build walls in order to prevent the next airborne lethal flu from landing on our shores. Instead, what we need to be able to do is set up systems to create public health systems in all parts of the world, click triggers that tell us when we see something emerging, and make sure we've got quick protocols and systems that allow us to make vaccines a lot smarter. So if you take a public health model, and you think about how we can deal with, you know, the problems of cybersecurity, a lot may end up being really helpful in thinking about the AI threats.

Posted on October 20, 2016 at 6:16 AM33 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.