Every Android device is vulnerable to RAMpage attack since 2012

We have consistently seen various vectors of attack rear their head when it comes to Android smartphones. We’ve seen Shattered Trust, Cloak and Dagger, and Rowhammer, just to name a few. RAMpage is the latest one on the block, and while it is a hardware vulnerability, it doesn’t necessarily need physical access to your device to exploit. How it works is relatively simple.

A group of university researchers have discovered that this vulnerability could theoretically work on any device with LPDDR memory, which includes virtually every smartphone released since 2012, including some Apple devices.

When a CPU reads or writes a row of bits in the RAM module present on the device, the neighbouring rows are slightly affected due to a tiny electric discharge. This isn’t usually a problem as we know RAM does this and that’s why it’s periodically refreshed to make sure nothing goes wrong. But what if we start “hammering” the same “row”? What if we continuously read or write to the same row in order to disrupt neighbouring rows? This can cause a bit-flip in a memory row that we shouldn’t own or have access to at all. That’s what Rowhammer is, and it’s being used as part of a larger vulnerability called RAMpage. The CVE is CVE-2018-9442 and it affects devices shipped with LPDDR2, LPDDR3, or LPDDR4 RAM.

RAMpage can be used to gain root access on a device, but the researchers managed to get it to do a whole lot more as well. It could be used to bypass JavaScript sandboxes and even perform an attack running on another virtual machine on the same computer on x86 devices. ARM-based devices are also vulnerable, and that’s where our Android phones come in. DRAMMER stands for “Deterministic Rowhammer Attacks on Mobile Devices”.

The attack allows a hacker access to the entire operating system. This includes accessing the data stored by other applications, which the Android security model is meant to prevent. An attacker can gain full control of a device allowing them to obtain stored passwords, personal photos, emails, instant messages and even business-critical documents.