A new cybersecurity threat has emerged that exploits radio signals generated by a device’s random access memory (RAM) to steal data from air-gapped networks, which are typically isolated from the internet for security purposes. This novel side-channel attack, dubbed “RAMBO,” was developed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at Ben Gurion University of the Negev, Israel. The RAMBO attack leverages RAM’s electromagnetic emissions as a covert data exfiltration channel, posing a significant risk to the integrity of secure environments.
How RAMBO Works
The RAMBO attack represents a sophisticated method of data theft, using software to generate radio signals from a computer’s RAM. According to Dr. Guri’s recently published research, malware can encode sensitive data, such as files, images, keystrokes, biometric information, and encryption keys, into these radio signals. An attacker equipped with software-defined radio (SDR) hardware and a basic antenna can intercept these signals from a distance, decode them, and convert them back into the original data.
Dr. Guri explained, “The malware manipulates the RAM to emit electromagnetic signals at clock frequencies, which are then encoded using Manchester encoding. This encoded data, which could include keystrokes, documents, and biometric information, can be intercepted remotely using SDR technology to decode and retrieve the exfiltrated information.”
The implications of this attack are profound, especially for air-gapped networks, which are typically considered highly secure due to their lack of direct connectivity to external networks. However, RAMBO highlights a critical vulnerability in these isolated environments by demonstrating that data can still be leaked via unintended electromagnetic emissions.
A Legacy of Innovative Cyber Attacks
Dr. Guri is no stranger to discovering innovative ways to breach air-gapped systems. Over the years, his research has unveiled various unconventional methods to extract confidential data from offline networks. Some of his previous work includes:
- SATAn: A technique exploiting Serial ATA cables for data exfiltration.
- GAIROSCOPE: Using MEMS gyroscopes to detect and transmit data.
- ETHERLED: Leaking data via LEDs on network interface cards.
- COVID-bit: Extracting data by monitoring dynamic power consumption.
- GPU-FAN: Utilizing acoustic signals from graphics processing unit (GPU) fans.
- EL-GRILLO: Exploiting ultrasonic waves from built-in motherboard buzzers.
- PrinterLeak: Leveraging display panels and status LEDs on printers to transmit data.
One of Dr. Guri’s notable past achievements includes the AirKeyLogger, a hardwareless radio frequency keylogging attack that uses radio emissions from a computer’s power supply to transmit real-time keystroke data to a remote receiver.
“To leak confidential data, the processor’s working frequencies are manipulated to generate a pattern of electromagnetic emissions from the power unit modulated by keystrokes,” Dr. Guri noted in his study. “The keystroke information can be received at distances of several meters away via an RF receiver or a smartphone with a simple antenna.”
RAMBO Attack Details and Implications
Like other attacks of its kind, RAMBO requires the initial compromise of the air-gapped network through methods such as a rogue insider, infected USB drives, or supply chain attacks. Once the malware is deployed, it manipulates the RAM to emit radio signals at clock frequencies, which are then intercepted and decoded by the attacker.
The RAMBO technique can be used to leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at a rate of 1,000 bits per second. For instance, keystrokes can be exfiltrated in real-time at 16 bits per key, while a 4096-bit RSA encryption key can be stolen in approximately 42 seconds at low speed. Biometric information, small files such as .jpg images, and documents in .txt or .docx formats can be extracted in around 400 seconds at lower speeds and even faster at higher transmission rates.
“This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period,” Dr. Guri said.
Countermeasures Against RAMBO
To mitigate the risks associated with the RAMBO attack, several countermeasures can be employed:
Red-Black Zone Enforcement: Establish strict physical and logical barriers between high-security zones (red) and non-secure zones (black) to prevent unintended information transfer.
Intrusion Detection Systems (IDS): Deploy IDS solutions to monitor and detect unusual memory access patterns that may indicate malicious activity.
Radio Jammers: Use radio frequency jammers to disrupt potential electromagnetic emissions, preventing the successful transmission of data.
Faraday Cages: Implement Faraday cages around sensitive equipment to block electromagnetic signals from escaping or entering the environment.
Hypervisor-Level Monitoring: Monitor memory access at the hypervisor level to detect anomalies that could signal an ongoing side-channel attack.
The RAMBO attack underscores the evolving landscape of cybersecurity threats, particularly in environments considered secure by traditional standards. As attackers continue to develop novel methods to bypass security barriers, organizations must adapt and implement comprehensive defensive strategies to safeguard critical information.
Follow us on (Twitter) for real time updates and exclusive content.