New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

A unique side-channel attack has been developed that use radio frequencies radiated by a device's random access memory (RAM) as a data exfiltration technique, presenting a danger to air-gapped networks.

The approach has been nicknamed RAMBO (short for "Radiation of Air-gapped Memory Bus for Offense") by Dr. Mordechai Guri, the director of the Offensive Cyber Research Lab at the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel.

"Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys," Dr. Guri stated in a recently released study article.

"With software-defined radio (SDR) technology, and a basic off-the-shelf antenna, an attacker may intercept transmitted raw radio signals from a distance. The signals may then be deciphered and transformed back into binary information."

Over the years, Dr. Guri has created different techniques to harvest personal data from offline networks by taking use of Serial ATA cables (SATAn), MEMS gyroscope (GAIROSCOPE), LEDs on network interface cards (ETHERLED), and dynamic power consumption (COVID-bit).

Some of the other unconventional approaches devised by the researcher entail leaking data from air-gapped networks via covert acoustic signals generated by graphics processing unit (GPU) fans (GPU-FAN), (ultra)sonic waves produced by built-in motherboard buzzers (EL-GRILLO), and even printer display panels and status LEDs (PrinterLeak).

Last year, Dr. Guri also presented AirKeyLogger, a hardwareless radio frequency keylogging assault that weaponizes radio emissions from a computer's power supply to exfiltrate real-time keystroke data to a remote attacker.

"To leak confidential data, the processor's working frequencies are manipulated to generate a pattern of electromagnetic emissions from the power unit modulated by keystrokes," Dr. Guri observed in the research. "The keystroke information can be received at distances of several meters away via an RF receiver or a smartphone with a simple antenna."

As usual with assaults of this sort, it needs the air-gapped network to be initially penetrated by other methods – such as a rogue insider, poisoned USB drives, or a supply chain attack – therefore enabling the malware to initiate the covert data exfiltration route.

RAMBO is no exception in that the virus is used to control RAM so that it may create radio signals at clock frequencies, which are then encoded using Manchester encoding and broadcast so as to be received from a distance away.

The encoded data might comprise keystrokes, documents, and biometric information. An attacker on the other end may then employ SDR to receive the electromagnetic signals, demodulate and decode the data, and get the exfiltrated information.

"The malware utilizes electromagnetic emissions from the RAM to modulate the information and transmit it outward," Dr. Guri explained. "A remote attacker with a radio receiver and antenna can receive the information, demodulate it, and decode it into its original binary or textual representation."

The approach could be used to leak data from air-gapped PCs running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the study discovered, with keystrokes being exfiltrated in real-time with 16 bits per key.

"A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed," Dr. Guri added. "Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds."

"This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period."

Countermeasures to thwart the attack include implementing "red-black" zone limitations for information transmission, utilizing an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to impede wireless connections, and deploying a Faraday cage.