A novel side-channel attack known as RAMBO has been developed by Dr. Mordechai Guri and his team at Ben Gurion University. This attack exploits radio signals emitted by RAM sticks to exfiltrate data from air-gapped computers.
Description
RAMBO leverages the electromagnetic emissions of electronic devices to transmit data wirelessly [1], eliminating the need for a wired or wireless connection [1]. By deploying malware on the target PC to rapidly switch signals within the RAM, sensitive information like text files [1], keystrokes [1] [4], passwords [1], and low-resolution images can be stolen. The data transfer rate is slow at approximately 128 bytes per second [1], making the attack challenging to detect. Physical access to the target system is required for installation, and the attacker must be in close proximity to capture the radio frequency emissions. Countermeasures to thwart the attack include enforcing information transfer restrictions [3], utilizing intrusion detection systems [3], monitoring memory access [2] [3] [4], deploying radio jammers [3], and employing Faraday cages [3]. This type of attack has been utilized by espionage agencies in the past to infiltrate secure environments [1], with government entities utilizing air-gapped systems being particularly vulnerable [1]. The attack involves malware manipulating memory access patterns to create controlled electromagnetic emissions from the RAM [2], which can be intercepted by a nearby attacker using a Software-Defined Radio equipped with an antenna [2]. The attack can achieve data transfer rates of up to 1,000 bits per second [4], making it suitable for stealing small amounts of data like text or keystrokes [4]. Mitigation strategies include enhancing physical security [4], implementing RAM jamming [4], and using Faraday enclosures to block electromagnetic radiation [4]. RAMBO allows malware to encode sensitive information such as files [5], images [1] [3] [5], keylogging data [5], biometric information [1] [5], and encryption keys using software-generated radio signals [5]. Various unconventional methods have been devised by Dr [3] [5]. Guri over the years to extract confidential data from offline networks [5], including using Serial ATA cables [5], MEMS gyroscopes [5], LEDs on network interface cards [5], and dynamic power consumption [5]. RAMBO manipulates RAM to generate radio signals at clock frequencies [3] [5], which are then encrypted using Manchester encoding and transmitted for remote reception [5]. The malware can modulate and transmit information through electromagnetic emissions from RAM [5], which can be received [2] [5], demodulated [5], and decoded by an external attacker using SDR hardware and a standard antenna [5]. The technique has been shown to leak data from computers with specific hardware configurations at varying speeds [5], with RSA encryption keys [5], biometric information [1] [5], and small files being exfiltrated within seconds to minutes [5].
Conclusion
The RAMBO attack poses a significant threat to air-gapped systems, with potential impacts on data security and confidentiality. Mitigation strategies such as enhancing physical security and implementing RAM jamming are crucial in defending against such attacks. As technology advances, it is essential to stay vigilant and proactive in safeguarding sensitive information from sophisticated cyber threats like RAMBO.
References
[1] https://www.tomshardware.com/tech-industry/cyber-security/researchers-snoop-data-from-air-gapped-pcs-ram-sticks-by-monitoring-em-radiation-from-23-feet-away
[2] https://www.blackhatethicalhacking.com/news/new-rambo-attack-extracts-secrets-from-air-gapped-systems-via-electromagnetic-signals/
[3] https://thehackernews.com/2024/09/new-rambo-attack-uses-ram-radio-signals.html
[4] https://cybermaterial.com/rambo-attack-steals-data-via-ram-radiation/
[5] https://www.techidee.nl/nieuwe-rambo-aanval-gebruikt-ram-radiosignalen-om-gegevens-te-stelen-van-netwerken-zonder-luchtspleet/13931/