If the attack can only be reproduced by custom hardware, why should anyone care?
Also, precise patterns of access to DRAM would require disabling the L1 and L2 caches. Doesn't that sort of thing require privileged instructions?
With caching in place, memory accesses are indirect. You have to be able to reproduce the attack using only patterns of cache line loads and spills.
They evict cache lines using the CLFLUSH x86 instruction, which I believe is unprivileged.