A Radio-Based Method for Data Theft

A newly discovered side-channel attack named RAMBO uses radio frequencies emitted by a computer’s random access memory (RAM) to steal sensitive data. This poses a significant risk even for networks that are not connected to the internet.

You might be interested in: Microsoft macOS Apps Vulnerable to Hackers

The method was developed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab at Ben Gurion University in Israel. Dr. Guri, who also teaches software and information systems engineering, explains in his research that malicious software can use these radio signals to transmit private information like encryption keys, files, images, and keystrokes.

How the Attack Works

In this attack, malware installed on a device modifies the RAM to create radio frequency (RF) signals. These signals are picked up by an attacker using a simple antenna and a software-defined radio (SDR) device. Once the signals are captured, they are decoded back into the original data, which could include highly sensitive information.

Dr. Guri has a long history of developing methods to steal data from isolated systems, also known as air-gapped networks. His previous work includes methods like using SATA cables (SATAn), MEMS gyroscopes (GAIROSCOPE), and the power consumption of devices (COVID-bit) to create hidden data channels.

Dr. Guri has also demonstrated some unusual ways to exfiltrate data from networks that are not connected to the internet. Some of these include using the sound from GPU fans (GPU-FAN), ultrasonic signals from motherboard buzzers (EL-GRILLO), and even printer LEDs (PrinterLeak).

One of his notable previous attacks is AirKeyLogger, which uses radio waves emitted from a computer’s power supply to steal keystrokes. This allows an attacker to receive keylogging data in real-time from a distance using a radio receiver or even a smartphone with a simple antenna.

Infiltrating Air-Gapped Networks

To pull off this type of attack, the malware must first be introduced into the air-gapped system, usually through a method like a malicious USB drive or a compromised employee. Once installed, the malware can manipulate the RAM to send out RF signals at specific clock frequencies.

These signals are encoded using a method called Manchester encoding and transmitted to be picked up by a nearby attacker using SDR equipment. The attacker can then decode the signals and retrieve information such as documents, biometric data, or keystrokes.

The Threat in Numbers

Researchers tested this attack on computers with Intel i7 3.6GHz processors and 16GB of RAM. The data transmission speed was around 1,000 bits per second, allowing keystrokes to be intercepted in real-time with 16 bits per key.

For example, a 4096-bit RSA encryption key can be stolen in about 42 seconds at a lower transmission speed. Small files like .jpg images or text documents could take between a few seconds and several minutes, depending on the speed of the transmission.

How to Defend Against RAMBO

There are several ways to defend against this kind of attack, including:

• Faraday cages to block electromagnetic emissions
• Setting up “red-black” zones to control the flow of sensitive data
• Using Intrusion Detection Systems (IDS) to monitor memory access
• Watching for unusual activity in memory at the hypervisor level
• Deploying radio frequency jammers to block unauthorized signals

These precautions can help protect air-gapped systems from being compromised by this new method of data theft.

Conclusion

The RAMBO attack demonstrates that even systems isolated from the internet are not entirely safe from cyber threats. By using radio signals emitted by RAM, attackers can steal highly sensitive data without the need for any physical connection to the device. As this threat evolves, organizations should consider upgrading their security measures to protect against these types of attacks.