A novel side-channel attack has been discovered that leverages radio signals emitted by a device’s random access memory (RAM) to exfiltrate data from air-gapped networks. Dubbed RAMBO (Radiation of Air-Gapped Memory Bus for Offense), this technique poses a significant threat to highly secure environments that rely on physical isolation to protect sensitive information.
Discovery and Research
The RAMBO attack was unveiled by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at Ben Gurion University of the Negev in Israel. In his recently published research paper, Dr. Guri explains:
“Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys.”
By utilizing software-defined radio (SDR) hardware and a simple off-the-shelf antenna, attackers can intercept transmitted radio signals from a distance. Dr. Guri adds:
“The signals can then be decoded and translated back into binary information.”
Mechanism of the RAMBO Attack
The RAMBO technique involves malware manipulating the RAM to generate radio signals at clock frequencies. These signals are then encoded using Manchester encoding and transmitted, allowing them to be received and decoded by an attacker equipped with SDR technology. The encoded data can include keystrokes, documents, biometric information, and other sensitive data.
An attacker can leverage SDR to receive the electromagnetic signals, demodulate them, and retrieve the exfiltrated information. Dr. Guri notes:
“The malware utilizes electromagnetic emissions from the RAM to modulate the information and transmit it outward. A remote attacker with a radio receiver and antenna can receive the information, demodulate it, and decode it into its original binary or textual representation.”
Previous Related Research
Dr. Guri has previously devised various methods to extract confidential data from air-gapped networks by exploiting unconventional channels, such as:
- Serial ATA cables (SATAn)
- MEMS gyroscopes (GAIROSCOPE)
- LEDs on network interface cards (ETHERLED)
- Dynamic power consumption (COVID-bit)
- GPU fans (GPU-FAN)
- Motherboard buzzers (EL-GRILLO)
- Printer display panels and status LEDs (PrinterLeak)
- Power supply emissions for keylogging (AirKeyLogger)
Each of these methods takes advantage of different hardware components to create covert communication channels for data exfiltration.
Requirements and Limitations
As with other side-channel attacks, RAMBO requires that the air-gapped network is first compromised through other means, such as:
- Rogue insiders
- Infected USB drives
- Supply chain attacks
Once the malware is installed, it manipulates the RAM to generate electromagnetic emissions that carry the sensitive data.
The research demonstrated that on air-gapped computers running Intel i7 3.6GHz CPUs with 16 GB RAM, data could be exfiltrated at a rate of 1,000 bits per second. Keystrokes could be captured in real-time using 16 bits per key. For example, a 4,096-bit RSA encryption key could be exfiltrated in approximately 41.96 seconds at lower speeds or 4.096 seconds at higher speeds.
Dr. Guri states:
“This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period.”
Mitigation Strategies
To defend against the RAMBO attack, several countermeasures can be implemented:
- Enforce “Red-Black” Separation: Implement strict physical separation between secure (red) and non-secure (black) zones to prevent unauthorized transmission of electromagnetic signals.
- Intrusion Detection Systems (IDS): Use IDS to monitor and detect unusual memory access patterns that could indicate malicious activity.
- Hypervisor-Level Monitoring: Track memory access at the hypervisor level to identify and prevent unauthorized manipulations.
- Radio Frequency Jamming: Deploy RF jammers to block unauthorized wireless communications within sensitive areas.
- Faraday Cages: Encase sensitive equipment in Faraday cages to prevent electromagnetic emissions from being intercepted.
Conclusion
The RAMBO attack highlights the evolving nature of cyber threats, especially against systems presumed secure due to physical isolation. Organizations responsible for safeguarding critical and sensitive data must remain vigilant and adopt comprehensive security measures that address both conventional and unconventional attack vectors.
By understanding and addressing these emerging threats, cybersecurity professionals can better protect air-gapped networks and the sensitive information they contain.
