RAMpage Vulnerability Affects Every Android Device Since 2012
A team of academics from three different universities and two private companies have just discovered a new vulnerability that affects almost every Android device since 2012. The vulnerability is known as RAMpage, and it could be used to gain complete control over the device.
Android ION is a subsystem which manages how memory is allocated, specifically between apps and the operating system. Google introduce this system in Android 4.0 Ice Cream Sandwich to consolidate the memory management system implemented by each system-on-a-chip. At the time, there were three major players: Qualcomm, TI OMAP, and Nvidia.
RAMpage attacks the ION subsystem, eliminating the barrier between apps and the operating system, and provides the attacker full control over all data and the device.
What Is RAMpage
RAMpage is a variation of the Rowhammer attack. Rowhammer is a hardware bug which occurs when an attacker sends multiple read/write requests to the same row of memory cells. These repeated requests create an electrical field that alters the data found in other nearby memory cells.
According to the researchers, "while apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device." And these secrets can include passwords, personal photos, and more.
While testing was only done on an LG G4, the research teams stated that every smartphone in the last six years is affected. The reason is that the vulnerability exists on LPDDR2, LPDDR3, and LPDDR4 RAM, the RAM used by all smartphones since 2012.
Does this affect Windows or Apple products?
Maybe. The researchers themselves aren't very clear on the issue but claim that RAMpage could affect iOS, macOS, Windows PCs, and even cloud servers. You can read their research paper in its entirety using this link (PDF).
What Can You Do?
As with most vulnerabilities, Android users have some options, but most of us will ultimately have to wait. Google's aware of the vulnerability (tracked as CVE-2018-9442), so expect a patch in the July monthly security update. Since this information is being released late in June, depending on when Google was made aware of this (often, research will let the company know first before making it public), the monthly patch may come later than usual or as a separate patch.
Unfortunately, with most OEMs having a terrible track record for monthly patches (with the exception of Pixels, Blackberries, the Essential PH-1, and devices in the Android One program), your device might remain vulnerable for some time. For those of us on older devices, I myself use an LG G4, there will be no patches or updates issued.
The researchers have released an app that can identify if your device is vulnerable to RAMpage. It isn't available on the Play Store, but you can download the APK using this link which you will have to sideload through SD card.
Google has recognized this flaw (CVE-2018-9442). Yet, they do not presently recognize it to be as important as the researchers believe it is. On June 29, Google issued the following statement regarding RAMpage:
We have worked closely with the team from Vrije Universiteit, and though this vulnerability isn't a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.
Last updated on: Friday 20th July 2018