Everything you need to know about the RAMpage security exploit

The latest security exploit to affect millions of devices is called RAMpage. It's a variation of previous attacks that use the Rowhammer hardware vulnerability to run malicious code by changing what's stored into your device's memory (RAM) and has the potential of data loss and to allow unauthorized access. In other words, someone using RAMpage could get into your phone and have control.

Scary headlines that say "Every Android device since 2012" are effective in getting the word out, but they leave plenty of questions. We can answer some of those in language everyone can understand.

What is Rowhammer?

You need to start here to understand how this exploit works. Rowhammer is a term used to describe a hardware issue that affects computer RAM. It's not technically an exploit and happens because of the laws of physics.

Modern RAM chips are packed so densely that electricity can "leak" from one part and affect another.

DDR2 and newer RAM is packed so densely that you can electrically manipulate one area of RAM and it will affect another through electrical crosstalk or something like transistor leakage — where one component radiates more stray electricity that its neighbors can handle. Theoretically, this can affect any silicon-based computer hardware like video cards or CPUs.

An attack that exploits the Rowhammer effect could do what's called "bit flipping" and turn a single bit in RAM from one state to the other — turn it on or off, depending on how it was set before the attack. If the right bit was flipped, an attacker could change permissions for their app and give it complete control of your phone.

RAMpage attacks ION on Android devices. What is ION?

There are a lot of ways to initiate a Rowhammer attack. There are even examples (now patched by most every company that needs to make patches) using network packets or Javascript, which means it could happen just by visiting a webpage. RAMpage uses the ION subsystem to initiate the attack.

ION lets apps talk to the system about how much RAM they need while they are running, then makes it happen in a safe and universal way.

ION is a universal generic memory management system that Google added to the Android kernel in Ice Cream Sandwich. You need a subsystem to manage and allocate memory because a program could need 10 bits (for example) of memory used but "standard" ways for allocating memory mean 16 bits would be used. That's how most computers count — they go from 0 to 4 to 8 to 16 to 32 and so on. If every running process reserved more memory than it needed you would have a lot of empty memory that thinks it needs to be used.

Companies that make smartphone chips, like Qualcomm or Samsung, all had their own memory allocation tool. In order to allow Android to use the "regular" (mainline) Linux kernel source, Google added ION to the Android kernel so all manufacturers could switch to using it and the system would be more universal. And they did.

How does RAMpage work?

RAMpage attacks the ION subsystem and causes it to frantically write and refresh a row of bits in the physical memory in the hopes that it will eventually flip a bit in the adjacent row. This can potentially allow for one application to gain access to another application's data, or even allow that application to act as the system administrator and have full control.

RAMpage breaks the most fundamental isolation between user applications and the operating system. While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.

You would need to install a malicious app that uses the RAMpage attack, and since this was made public Google Play and Amazon's App Store won't allow any to be uploaded. You would have to get the application through other means and sideload it.

The researchers who introduced us to RAMpage have an app to test vulnerability as well as a security app to prevent the attack. You can find both here.

Does this affect Windows or Apple products?

Maybe. The researchers themselves aren't very clear on the issue but claim that RAMpage could affect iOS, macOS, Windows PCs, and even cloud servers.

We will have to wait for additional findings to know for sure.

Should I be worried?

Every Android device made since 2012 (every phone that shipped with Ice Cream Sandwich or later) uses the ION subsystem and has DDR2, DDR3, or DDR4 RAM and is potentially vulnerable. This means you should definitely know about RAMpage and other Rowhammer attacks.

Flipping the right bit has a 1-in-32 billion chance of happening on most Android phones — some have even higher odds.

But using a Rowhammer attack to do a specific thing isn't possible. It's simple enough to attack one row of bits in a RAM module until a bit in an adjacent row flips, but it's nearly impossible to know what is written to that adjacent row. Software like Android or iOS has protections built in that ensures there is no specific place in memory any task needs to be written to, and the whole thing is random.

An attacker can't know what bit is going to be flipped or what it will do. That means it's like a game of roulette with a wheel that has 32 billion slots for the ball to fall in. Random luck exists, but these odds are extremely low.

Also, on June 29, Google issued the following statement to us regarding RAMpage:

We have worked closely with the team from Vrije Universiteit, and though this vulnerability isn't a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.

You should be aware of RAMpage, but there is no need to be worried that anything will happen to you. Continue to use common sense and only install apps that come from a place you trust (sticking to Google Play is a fine idea) and carry on as normal.

Updated June 29, 2018: Added statement from Google.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Jerry - thankyou so much for this article. Very well watered down to a level that us mere mortals can understand. You are truly the people's nerd! Keep up the good fight! :)
  • "You would have to get the application through other means and sideload it." Which is why I'm not OCD about security updates like some people are. Sure, I'm glad I get them every month, but my phones are protected quite well enough by common sense.
  • True, the monthly security patches are over hyped and their immediacy on Pixel phones is used as rationale to buy their high priced, low feature phones. (No micro SD storage, no headphone jack, no wireless charging, less RAM) In the Device Maintenance app on Samsung phones, free anti malware device scans are powered by McAfee which is good enough, given downloading protections that exist in the Google Play Store... And/or use the Knox technology for data you can't risk.
  • Hope this doesn't come across harsh but in regard to the McAfee AV point (any 3rd party AV "solution"). Do you really think that 3rd party AV is worth anything when, often, they can ride the market on their brand, have minimal brand impact from failure (prevention detection or correction) and support so many OSs to weaken their focus....Vs the OS manufacturer who has a horizonless budget and everything to lose if they dont protect their own ecosystem...and also has kernel source code
  • The monthly security patch is only just that.... A monthly security patch. I had no idea mentioning the free McAfee service embedded in Samsung 'Device Maintenance' would trigger anybody. The fact McAfee does the free scans is trivial, but which some commentators interpreted as being important. I view the free Device Maintenance security (scans your phone on demand, And NOT to be confused as active antivirus) as appropriate for an Android phone. It checks for updates and does a scan. If it was useless, I have no doubt lawsuits would have been filed long ago in 🇺🇲. Active antivirus makes sense on a PC.... And the free Microsoft Defender is the only solution most anyone would need. I accept many consumers dismiss Defender because it is free. Again, if it was useless, Microsoft would get sued... Or more importantly, consumers would have more serious data breaches. Last point... It won't matter what data protection any of us have in the event of a significant deployment of a cyber weapon.
  • So, you're trying to justify slow security updates?
  • What security patches? Did you ever read the article about the OEM just changing the date or something like that and calling it a security update?
  • Did you hear the podcast from AC explaining what was actually going on?
    Hey did a great job explaining why that article was, as usual, overhyped.
  • Well they suggested some possible reasons.
    As far as I'm aware no official explanation has been given.
  • Google actually issued a statement that pretty much covered the reason why most of the major manufacturers appeared to have not updated - basically the criteria used by that one company to assess of the update was done was so specific that it ignored many updates done. Eg if there was an update that included something to do with Bluetooth 5.... manufacturers would remove that bit if their phones only had Bluetooth 4 and therefore that bit was irrelevant ... Then they issue the rest of the update...but because it was not exactly the same as the official Google update, this research would count that as the update was not done. The "research" was pretty much panned from all informed sectors as a sales pitch for thier ( less than optimal ) product. “We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update.
  • Sure, for ones like this. But there are other vulnerabilities that don't take as much work, like the Broadcom wifi vulnerability. There, you didn't need to connect to a malicious wifi network, you just had to come within range of it. Though I don't think it was actually much out in the wild if at all.
  • The vocal 7% Android rooting crowd assume risks like this hack the moment they poke around their phones. But once again, although it sounds ominus, the chances are slim that you would be effected. Thanks Jerry for writing a nice explanation for common users, like myself. I don't deny there is security risk to Android, but I agree with the suggestion that the only reason a catastrophic hacker attack hasn't occurred is because those who can, don't want to do so. Why Hackers Aren’t Afraid of Us https://nyti.ms/2lcBAo0 If you don't want to click on the link, google: "why hackers aren't afraid of us and new york times"
  • I'm not worried as I have a Pixel and I know Google will push out an update to plug this latest security exploit.
  • And I'm not worried cause I have a Galaxy and common sense. Just like I'm not worried about any other "exploit"
  • Samsung can't be trusted with security updates only Google, Pixel and Android One devices can. Samsung are known to miss security updates How do you like them Apple's Samsung shill?
  • Shill? Really? You feel the need to call people names for your inadequacies? Guess so ...
  • Like you haven't called people names. I'm calling these people out for their obvious biased towards Samsung and before you say anything, I know I'm biased towards Google, now Slstop trolling me, I don't fancy you ok but I'm flattered.
  • And we call you out for your bias towards others that don’t use a pixel and don’t see eye to eye with you. It’s really annoying and undeserved. Flattered? Don’t be. I’d rather be spoon fed toxic radiation from Chernobyl than listen to you whine about other people’s choices. And before you say ... don’t read my comments ... I can’t help it.... in a sociopathic way.
  • Why not take your advice because I'll defend the Pixel against the haters and Samsung fanboys and tough luck if you so like it.
  • Pixel is a steaming piece of garbage and you are the unanimous cancer of the Android Central comments section so move on and get a haircut.
  • Your phone is is the one that is "a steaming pile of garbage" like your comment, the Pixel is perfection now get lost. I don't fancy you Samsung troll.
  • We don’t care who you fancy or not. The pixel isn’t perfection. No phone is. Get over or under it. Don’t care which ... just choose.
  • Yeah I don't think Im going to worry about this one at all. Talk about a long shot. The odds of being affected by this seem incredibly small.
  • Finally. Someone puts expertise and logic towards explaining an issue to the non experts rather than taking the "sky is falling" attention-getting angle. The usual press has made me bury my face in my palm in the way they blindly see a cool exploit name, dont understand anything about the root cause or means of execution, yet lead the vast majority of readers who dont have degrees in computer engineering to believe their phone/pc/tv is spying on everything they do or harvesting their identity info
  • Jerry be on a Rampage explaining this! He’s exploited every thing we need to know and feels secure doing so! We should keep an ION this article Incase we need bits of information later! 😊
  • ION ... I see what you did there!
  • HAH! You should get a job here :)
  • Jerry, Thank you for providing this information while also assuring me that I do need to be careful but should not be too concerned. :)
  • Thank you, Jerry - I appreciate your article & straightforward explanation! Thanks
  • Looks like you have the most risk if you use app stores outside of the Play Store. I gave up on 3rd party app stores a few years back, so I should be less vulnerable compared to others who download apks from the web and 3rd party app stores. Now that Android is the top dog, the hackers are trying to find ways to exploit the users.
  • Jerry my Malwarebytes antivirus found the testing app as malicious...do we have Rampage tester on Android store yet?
  • It should see it as malicious. While the test app itself isn't malicious, it does the exact same thing a malicious app would do, so it triggers AV. Google would need to make an exception to allow it in the app store, but AV would still trigger.
  • dpeters11 is exactly right. The testing app performs the Rowhammer attack to see if it can flip a bit in your phone's RAM. That's malicious behavior. The testing app doesn't do anything once it's managed to bit flip. but your security software doesn't know that and doesn't care. It's an app with a bad behavior and that's enough.
  • As always, thanks Jerry for NOT spreading FUD.
  • Wouldn't this apply to anything using RAM? So basically every computing device out there
  • The Rowhammer effect applies to every device with DDR2, 3, or 4 RAM and can take user input. So yep. Almost all of them. The hard part is getting the running system to send the "data" needed to write and refresh a row of bits in RAM over and over. this particular exploit attacks the ION kernel driver and gets it to pass the data through to the hardware. I would guess there are ways to adapt this to any system through a similar DMA attack. But this particular exploit is Android only.
  • A whole nother year has passed and no sign of RAMpage or Rowhammer in my purview. Guess I came up lucky ;-)