14 DAY TRIAL // Five researchers from the Graz University of Technology in Austria have presented the first-ever cache attack on multi-core ARM CPUs used in Android devices. The team has presented their findings at the recently concluded Usenix Security Symposium.
A CPU cache attack is a side-channel information leak attack that allows a third-party to extract small portions of data from a CPU cache, which, in turn, can be used to infer details about the data that was being processed.
In the past, researchers discovered multiple ways to carry out cache attacks, most of them against Intel x86 CPU architectures.
Since ARM is a relative newcomer to the CPU market, researchers are only starting to explore the possibility of porting these older attacks on the new platform, which has made its way into smartphones, tablets, and many IoT devices.
ARMageddon lets attackers monitor tap and swipe gestures
The researchers, led by Moritz Lipp, have revealed in a technical paper presented at Usenix how they were able to use powerful cache attacks on ARM CPUs in order to compromise Android devices.
Using techniques like Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush, researchers claim they were able to monitor tap and swipe gestures events sent to the CPU for processing.
"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude," the researchers explain.
"Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen. Eventually, we are the first to attack cryptographic primitives implemented in Java."
ARMageddon attack successful against ARM TrustZone
The researchers say their attack is so intrusive that it also manages to monitor cache activity (code execution) in the ARM TrustZone, a special area of the Android operating system that benefits from hardened security measures because it processes sensitive cryptographic operations.
Researchers say their attack can be carried out from the normal userspace, with no elevated privileges, and that it affects hundreds of millions of Android devices.
The team presented their results to Google, who patched most of the issues in its March 2016 Android Security Bulletin.