Skip to content

June 29, 2018

Everything you need to know about the RAMpage security exploit

by John_A


The RAMpage exploit has the potential to give a bad app complete control of your phone. Should you be worried?

The latest security exploit to affect millions of devices is called RAMpage. It’s a variation of previous attacks that use the Rowhammer hardware vulnerability to run malicious code by changing what’s stored into your device’s memory (RAM) and has the potential of data loss and to allow unauthorized access. In other words, someone using RAMpage could get into your phone and have control.

Scary headlines that say “Every Android device since 2012” are effective in getting the word out, but they leave plenty of questions. We can answer some of those in language everyone can understand.

What is Rowhammer?

You need to start here to understand how this exploit works. Rowhammer is a term used to describe a hardware issue that affects computer RAM. It’s not technically an exploit and happens because of the laws of physics.

Modern RAM chips are packed so densely that electricity can “leak” from one part and affect another.

DDR2 and newer RAM is packed so densely that you can electrically manipulate one area of RAM and it will affect another through electrical crosstalk or something like transistor leakage — where one component radiates more stray electricity that its neighbors can handle. Theoretically, this can affect any silicon-based computer hardware like video cards or CPUs.

An attack that exploits the Rowhammer effect could do what’s called “bit flipping” and turn a single bit in RAM from one state to the other — turn it on or off, depending on how it was set before the attack. If the right bit was flipped, an attacker could change permissions for their app and give it complete control of your phone.

RAMpage attacks ION on Android devices. What is ION?

There are a lot of ways to initiate a Rowhammer attack. There are even examples (now patched by most every company that needs to make patches) using network packets or Javascript, which means it could happen just by visiting a webpage. RAMpage uses the ION subsystem to initiate the attack.

ION lets apps talk to the system about how much RAM they need while they are running, then makes it happen in a safe and universal way.

ION is a universal generic memory management system that Google added to the Android kernel in Ice Cream Sandwich. You need a subsystem to manage and allocate memory because a program could need 10 bits (for example) of memory used but “standard” ways for allocating memory mean 16 bits would be used. That’s how most computers count — they go from 0 to 4 to 8 to 16 to 32 and so on. If every running process reserved more memory than it needed you would have a lot of empty memory that thinks it needs to be used.

Companies that make smartphone chips, like Qualcomm or Samsung, all had their own memory allocation tool. In order to allow Android to use the “regular” (mainline) Linux kernel source, Google added ION to the Android kernel so all manufacturers could switch to using it and the system would be more universal. And they did.

How does RAMpage work?

RAMpage attacks the ION subsystem and causes it to frantically write and refresh a row of bits in the physical memory in the hopes that it will eventually flip a bit in the adjacent row. This can potentially allow for one application to gain access to another application’s data, or even allow that application to act as the system administrator and have full control.

RAMpage breaks the most fundamental isolation between user applications and the operating system. While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.

You would need to install a malicious app that uses the RAMpage attack, and since this was made public Google Play and Amazon’s App Store won’t allow any to be uploaded. You would have to get the application through other means and sideload it.

The researchers who introduced us to RAMpage have an app to test vulnerability as well as a security app to prevent the attack. You can find both here.

Does this affect Windows or Apple products?

Maybe. The researchers themselves aren’t very clear on the issue but claim that RAMpage could affect iOS, macOS, Windows PCs, and even cloud servers.

We will have to wait for additional findings to know for sure.

Should I be worried?

Every Android device made since 2012 (every phone that shipped with Ice Cream Sandwich or later) uses the ION subsystem and has DDR2, DDR3, or DDR4 RAM and is potentially vulnerable. This means you should definitely know about RAMpage and other Rowhammer attacks.

Flipping the right bit has a 1-in-32 billion chance of happening on most Android phones — some have even higher odds.

But using a Rowhammer attack to do a specific thing isn’t possible. It’s simple enough to attack one row of bits in a RAM module until a bit in an adjacent row flips, but it’s nearly impossible to know what is written to that adjacent row. Software like Android or iOS has protections built in that ensures there is no specific place in memory any task needs to be written to, and the whole thing is random.

An attacker can’t know what bit is going to be flipped or what it will do. That means it’s like a game of roulette with a wheel that has 32 billion slots for the ball to fall in. Random luck exists, but these odds are extremely low.

You should be aware of RAMpage, but there is no need to be worried that anything will happen to you. Continue to use common sense and only install apps that come from a place you trust (sticking to Google Play is a fine idea) and carry on as normal.

Read more from News

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: