Blacksmith Attack Uses Your Own RAM Against You

Unpatchable attack circumvents security by attacking device memory

Key Takeaways

  • Rowhammer can flip bits in RAM by hammering it with data.
  • Blacksmith is a new form of the attack that bypasses DDR4's built-in protection.
  • Though not found in the wild, the attack could be used against "high-value" targets.
Corsair Vengeance RGB PRO DDR4 RAM

Corsair

A new paper outlines a novel attack, dubbed Blacksmith, that can bypass device security by hammering a device's memory into a desired state.

Published by Comsec, a security research group from the Department of Information Technology and Electrical Engineering at ETH Zürich, the paper describes a "Rowhammer" attack that slams memory with junk data to trigger a bit flip. Comsec's new twist on this attack, Blacksmith, can bypass protections used by DDR4 memory to guard against such attacks.

"All devices that feature DRAM are likely vulnerable," Kaveh Razavi, an assistant professor at ETH Zürich and leader of Comsec, told Lifewire in an email.

Don’t Worry. Probably.

The scope of the attack is staggering. When Razavi says "all devices," he really does mean "all devices." 

Comsec's testing, which included DDR4 memory samples from Samsung, Micron, and Hynix, was conducted on computers running Ubuntu Linux, but it could work against nearly any device that has DDR4. 

Despite its potential, most individuals don't need to worry about Blacksmith just yet. This is a sophisticated attack that requires significant skill and effort to have success.

Close up shot of a circuit board

David Fillion / Getty Images

"Given that easier attack vectors often exist, we think average users should not worry about this too much," said Razavi. "Different story if you are a news reporter or an activist (what we call a 'high-value target')."

If you are a high-value target, your options are limited. Memory with built-in error correction (ECC) is more resistant, but not invulnerable, and also not available on most consumer devices. 

The best defense is to stay clear of any untrusted applications. Razavi also recommends using a browser extension that blocks JavaScript, as researchers have demonstrated JavaScript can be used to execute a Rowhammer attack. 

Circumventing Protections

Rowhammer itself is not a new attack. It was brought to light in a 2014 paper from Carnegie Mellon University and Intel Labels, titled "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors." That paper demonstrated the error in DDR3 memory.

"All devices that feature DRAM are likely vulnerable."

DDR4 includes a protection, Target Row Refresh (TRR), meant to prevent Rowhammer by detecting an attack and refreshing memory before data corruption occurs. Blacksmith circumvents this by adjusting the attack to use non-uniform patterns that don’t trigger DDR4’s protection, reintroducing Rowhammer as a concern for newer devices thought to be secure.

Still, not all memory is equally vulnerable. Comsec tested Blacksmith with three sample attacks on 40 samples of DDR4 memory. Some fell quickly to all three, others held out longer, and the best resisted two of the three sample attacks. Comsec’s paper does not name the specific memory modules tested.

What’s a Rowhammer, Anyway?

Blacksmith is a form of Rowhammer attack—but what is Rowhammer? 

Rowhammer takes advantage of the small physical size of memory cells in modern DRAM. These structures are so small that electrical current can leak between them. Rowhammer pummels DRAM with data that induces leakage and, in turn, can cause the bit value stored in memory cells to flip. A "1" can flip to a "0," or vice-versa.

It's like a Jedi mind trick. One moment the device knows a user has only basic access. Then, with the flip of a bit, it believes the user has full administrator access. The device has no idea it was tricked because the attack altered its memory.

Two figures demonstrating how Blacksmith/Rowhammer works

Comsec

And it gets worse. Rowhammer, like the Spectre vulnerability discovered in x86 processors, takes advantage of a physical characteristic of the hardware. That means it's impossible to patch. The only complete solution is to replace the hardware.

The attack is stealthy, as well. 

"It will be very difficult to find traces of a rowhammer attack if it does happen in the wild since all the attacker needs to have is legitimate memory access, with some feng shui to make sure the system does not crash," said Razavi. 

There is a shred of good news, though. There's no evidence attackers outside a research environment are using Rowhammer. That could change at any time, however. 

"We have to invest in fixing this issue," said Razavi, "since these dynamics might change in the future."

Was this page helpful?