A new vulnerability named RAMpage is putting all Android devices since 2012 at risk of being hacked, a team of international academics revealed yesterday.
The attack enables malicious applications to break out of their sandbox and access the device’s overall operating system. The Android security model is intended to prevent accessing data stored by other apps.
“RAMpage breaks the most fundamental isolation between user applications and the operating system,” the researchers said in their research paper. “While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.” The research team added, “This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents”.
RAMpage (tracked as CVE-2018-9442) is a variant of Rowhammer, the attack that exploits physical weaknesses in modern memory cards that Google Project Zero researchers alerted the industry to back in March 2015. “Rowhammer is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows”, said the Project Zero team. DRAM memory uses densely packed cells, which if aggressively targeted with read and write operations, can lead to memory cells leaking their electrical charge and flipping bits in adjacent rows, which enables the alteration of data stored on nearby memory.
Research into RAMpage, the new variation of Rowhammer, was created by several of the same researchers behind Drammer and continues that work. The research is still in its infancy; however the team of eight academics is able to say that the RAMpage attack can take over Android-based smartphones and tablets. The researchers ran a successful test of their POC on an LG G4 device, and they believe “every mobile device that is shipped with LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected, which is effectively every mobile phone since 2012”. RAMpage may additionally affect Apple devices, home computers, and possibly even cloud servers.
In addition to revealing details about the bug, the researchers also share news of the prototype defense mechanism they have created to tackle it. Named Guardion, it could block all DMA-based Rowhammer exploits on mobile devices, including RAMpage and Drammer. Guardion has been released on GitHub as open-source code.
The RAMpage research team hails from a mixture of universities and private companies, including Vrije University, Amsterdam; Amrita University, India; UC Santa Barbara; TU Wien; EURECOM and IBM.