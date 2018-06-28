The latest security exploit to affect millions of devices is called RAMpage. It's a variation of previous attacks that use the Rowhammer hardware vulnerability to run malicious code by changing what's stored into your device's memory (RAM) and has the potential of data loss and to allow unauthorized access. In other words, someone using RAMpage could get into your phone and have control.

Scary headlines that say "Every Android device since 2012" are effective in getting the word out, but they leave plenty of questions. We can answer some of those in language everyone can understand.

What is Rowhammer?

You need to start here to understand how this exploit works. Rowhammer is a term used to describe a hardware issue that affects computer RAM. It's not technically an exploit and happens because of the laws of physics.

Modern RAM chips are packed so densely that electricity can "leak" from one part and affect another.

DDR2 and newer RAM is packed so densely that you can electrically manipulate one area of RAM and it will affect another through electrical crosstalk or something like transistor leakage — where one component radiates more stray electricity that its neighbors can handle. Theoretically, this can affect any silicon-based computer hardware like video cards or CPUs.

An attack that exploits the Rowhammer effect could do what's called "bit flipping" and turn a single bit in RAM from one state to the other — turn it on or off, depending on how it was set before the attack. If the right bit was flipped, an attacker could change permissions for their app and give it complete control of your phone.

RAMpage attacks ION on Android devices. What is ION?

There are a lot of ways to initiate a Rowhammer attack. There are even examples (now patched by most every company that needs to make patches) using network packets or Javascript, which means it could happen just by visiting a webpage. RAMpage uses the ION subsystem to initiate the attack.

ION lets apps talk to the system about how much RAM they need while they are running, then makes it happen in a safe and universal way.

ION is a universal generic memory management system that Google added to the Android kernel in Ice Cream Sandwich. You need a subsystem to manage and allocate memory because a program could need 10 bits (for example) of memory used but "standard" ways for allocating memory mean 16 bits would be used. That's how most computers count — they go from 0 to 4 to 8 to 16 to 32 and so on. If every running process reserved more memory than it needed you would have a lot of empty memory that thinks it needs to be used.

Companies that make smartphone chips, like Qualcomm or Samsung, all had their own memory allocation tool. In order to allow Android to use the "regular" (mainline) Linux kernel source, Google added ION to the Android kernel so all manufacturers could switch to using it and the system would be more universal. And they did.

How does RAMpage work?

RAMpage attacks the ION subsystem and causes it to frantically write and refresh a row of bits in the physical memory in the hopes that it will eventually flip a bit in the adjacent row. This can potentially allow for one application to gain access to another application's data, or even allow that application to act as the system administrator and have full control.