Introduction
A new side-channel attack, known as RAMBO, has been identified, which utilizes radio signals emitted by random access memory (RAM) as a data exfiltration method. This discovery introduces a significant threat to air-gapped systems, which are typically designed to prevent unauthorized access by being isolated from external networks. The attack, developed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab at Ben Gurion University in Israel, demonstrates how sensitive data can be stolen from even the most secure environments.
RAMBO: The Attack Method
Dr. Guri's research shows how malware can generate radio signals through RAM, allowing attackers to steal sensitive information such as files, keystrokes, biometric data, and encryption keys. The attack involves manipulating RAM to create specific radio frequencies, which are then encoded using Manchester encoding. Once transmitted, these signals can be intercepted by attackers using simple hardware such as software-defined radio (SDR) equipment and an antenna.
Using this method, data such as keystrokes, documents, and biometric information can be exfiltrated from air-gapped networks. The malware works by modulating the electromagnetic emissions from the RAM, allowing remote attackers to capture the radio signals, decode them, and retrieve the stolen data. In particular, Dr. Guri's research found that the attack could exfiltrate information from computers running Intel i7 processors with 16 GB of RAM at a rate of 1,000 bits per second.
Evolution of Air-Gap Attacks
Dr. Guri is no stranger to devising innovative methods for extracting data from air-gapped systems. Over the years, he has developed multiple techniques that exploit various components of a computer to transmit data covertly. His past work includes attacks that utilize Serial ATA cables (SATAn), MEMS gyroscopes (GAIROSCOPE), and even the LED indicators on network interface cards (ETHERLED). Other methods he has pioneered involve exploiting power consumption patterns (COVID-bit) and using GPU fans to create covert acoustic signals (GPU-FAN).
One of his more recent innovations was AirKeyLogger, a keylogging attack that uses electromagnetic emissions from a computer's power supply to capture keystroke data without hardware. In this attack, the malware modulates the processor's working frequencies, allowing the attacker to intercept keystrokes from several meters away using a radio frequency (RF) receiver or even a smartphone antenna.
Mechanism of the RAMBO Attack
Similar to Dr. Guri's previous techniques, RAMBO relies on compromising the air-gapped system through other methods, such as infected USB drives, insider threats, or supply chain attacks. Once the system is compromised, the malware manipulates the RAM to generate electromagnetic signals. These signals are then intercepted by an attacker who can decode and convert the information back into binary form.
Dr. Guri demonstrated that keystrokes can be exfiltrated in real-time at 16 bits per key, and RSA encryption keys can be leaked within 42 seconds at low speeds. Furthermore, biometric information and small files, such as images and text documents, can be transmitted within 400 seconds at slower speeds or in a matter of seconds at higher speeds.
Mitigation Strategies
To counter the RAMBO attack and similar side-channel threats, several defensive measures can be implemented. These include enforcing strict "red-black" separation zones to control the transfer of sensitive data, deploying intrusion detection systems (IDS) to monitor memory access, and using radio jammers to disrupt wireless communications. Additionally, placing systems inside a Faraday cage can block electromagnetic emissions, rendering attacks like RAMBO ineffective.
Conclusion
The RAMBO attack is yet another demonstration of how even air-gapped systems, considered highly secure, can be vulnerable to sophisticated malware designed to exploit overlooked hardware components. While the attack may require initial access through compromised means, its ability to exfiltrate sensitive data through radio signals presents a significant challenge to traditional security measures. However, with proper defenses such as radio jammers, memory monitoring, and Faraday cages, organizations can mitigate the risk posed by these advanced side-channel attacks.
0 Comments