Everything you need to know about the RAMpage security exploit

The latest security exploit to affect millions of devices is called RAMpage. It's a variation of previous attacks that use the Rowhammer hardware vulnerability to run malicious code by changing what's stored into your device's memory (RAM) and has the potential of data loss and to allow unauthorized access. In other words, someone using RAMpage could get into your phone and have control.

Scary headlines that say "Every Android device since 2012" are effective in getting the word out, but they leave plenty of questions. We can answer some of those in language everyone can understand.

What is Rowhammer?

You need to start here to understand how this exploit works. Rowhammer is a term used to describe a hardware issue that affects computer RAM. It's not technically an exploit and happens because of the laws of physics.

Modern RAM chips are packed so densely that electricity can "leak" from one part and affect another.

DDR2 and newer RAM is packed so densely that you can electrically manipulate one area of RAM and it will affect another through electrical crosstalk or something like transistor leakage — where one component radiates more stray electricity that its neighbors can handle. Theoretically, this can affect any silicon-based computer hardware like video cards or CPUs.

An attack that exploits the Rowhammer effect could do what's called "bit flipping" and turn a single bit in RAM from one state to the other — turn it on or off, depending on how it was set before the attack. If the right bit was flipped, an attacker could change permissions for their app and give it complete control of your phone.

RAMpage attacks ION on Android devices. What is ION?

There are a lot of ways to initiate a Rowhammer attack. There are even examples (now patched by most every company that needs to make patches) using network packets or Javascript, which means it could happen just by visiting a webpage. RAMpage uses the ION subsystem to initiate the attack.

ION lets apps talk to the system about how much RAM they need while they are running, then makes it happen in a safe and universal way.

ION is a universal generic memory management system that Google added to the Android kernel in Ice Cream Sandwich. You need a subsystem to manage and allocate memory because a program could need 10 bits (for example) of memory used but "standard" ways for allocating memory mean 16 bits would be used. That's how most computers count — they go from 0 to 4 to 8 to 16 to 32 and so on. If every running process reserved more memory than it needed you would have a lot of empty memory that thinks it needs to be used.

Companies that make smartphone chips, like Qualcomm or Samsung, all had their own memory allocation tool. In order to allow Android to use the "regular" (mainline) Linux kernel source, Google added ION to the Android kernel so all manufacturers could switch to using it and the system would be more universal. And they did.

How does RAMpage work?

RAMpage attacks the ION subsystem and causes it to frantically write and refresh a row of bits in the physical memory in the hopes that it will eventually flip a bit in the adjacent row. This can potentially allow for one application to gain access to another application's data, or even allow that application to act as the system administrator and have full control.

RAMpage breaks the most fundamental isolation between user applications and the operating system. While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.

You would need to install a malicious app that uses the RAMpage attack, and since this was made public Google Play and Amazon's App Store won't allow any to be uploaded. You would have to get the application through other means and sideload it.

The researchers who introduced us to RAMpage have an app to test vulnerability as well as a security app to prevent the attack. You can find both here.

Does this affect Windows or Apple products?

Maybe. The researchers themselves aren't very clear on the issue but claim that RAMpage could affect iOS, macOS, Windows PCs, and even cloud servers.

We will have to wait for additional findings to know for sure.

Should I be worried?

Every Android device made since 2012 (every phone that shipped with Ice Cream Sandwich or later) uses the ION subsystem and has DDR2, DDR3, or DDR4 RAM and is potentially vulnerable. This means you should definitely know about RAMpage and other Rowhammer attacks.

Flipping the right bit has a 1-in-32 billion chance of happening on most Android phones — some have even higher odds.

But using a Rowhammer attack to do a specific thing isn't possible. It's simple enough to attack one row of bits in a RAM module until a bit in an adjacent row flips, but it's nearly impossible to know what is written to that adjacent row. Software like Android or iOS has protections built in that ensures there is no specific place in memory any task needs to be written to, and the whole thing is random.

An attacker can't know what bit is going to be flipped or what it will do. That means it's like a game of roulette with a wheel that has 32 billion slots for the ball to fall in. Random luck exists, but these odds are extremely low.

Also, on June 29, Google issued the following statement to us regarding RAMpage:

We have worked closely with the team from Vrije Universiteit, and though this vulnerability isn't a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.

You should be aware of RAMpage, but there is no need to be worried that anything will happen to you. Continue to use common sense and only install apps that come from a place you trust (sticking to Google Play is a fine idea) and carry on as normal.

Updated June 29, 2018: Added statement from Google.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.