Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

New RAMBO Attack Allows Air-Gapped Data Theft via RAM Radio Signals

An academic researcher has devised a new method of exfiltrating data from air-gapped systems using radio signals from memory buses.

An academic researcher has devised a new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems.

According to Mordechai Guri from Ben-Gurion University of the Negev in Israel, malware can be used to encode sensitive data that can be captured from a distance using software-defined radio (SDR) hardware and an off-the-shelf antenna.

The attack, named RAMBO (PDF), allows attackers to exfiltrate encoded files, encryption keys, images, keystrokes, and biometric information at a rate of 1,000 bits per second. Tests were conducted over distances of up to 7 meters (23 feet).

Air-gapped systems are physically and logically isolated from external networks to keep sensitive information safe. While offering increased security, these systems are not malware-proof, and there are at tens of documented malware families targeting them, including Stuxnet, Fanny, and PlugX.

In new research, Mordechai Guri, who published several papers on air gap-jumping techniques, explains that malware on air-gapped systems can manipulate the RAM to generate modified, encoded radio signals at clock frequencies, which can then be received from a distance.

An attacker can use appropriate hardware to receive the electromagnetic signals, decode the data, and retrieve the stolen information.

The RAMBO attack begins with the deployment of malware on the isolated system, either via an infected USB drive, using a malicious insider with access to the system, or by compromising the supply chain to inject the malware into hardware or software components.

The second phase of the attack involves data gathering, exfiltration via the air-gap covert channel – in this case electromagnetic emissions from the RAM – and at-distance retrieval.

Advertisement. Scroll to continue reading.

Guri explains that the rapid voltage and current changes that occur when data is transferred through the RAM create electromagnetic fields that can radiate electromagnetic energy at a frequency that depends on clock speed, data width, and overall architecture.

A transmitter can create an electromagnetic covert channel by modulating memory access patterns in a way that corresponds to binary data, the researcher explains.

By precisely controlling the memory-related instructions, the academic was able to use this covert channel to transmit encoded data and then retrieve it at a distance using SDR hardware and a basic antenna. 

“With this method, attackers can leak data from highly isolated, air-gapped computers to a nearby receiver at a bit rate of hundreds bits per second,” Guri notes. 

The researcher details several defensive and protective countermeasures that can be implemented to prevent the RAMBO attack.

Related: LF Electromagnetic Radiation Used for Stealthy Data Theft From Air-Gapped Systems

Related: RAM-Generated Wi-Fi Signals Allow Data Exfiltration From Air-Gapped Systems

Related: NFCdrip Attack Proves Long-Range Data Exfiltration via NFC

Related: USB Hacking Devices Can Steal Credentials From Locked Computers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.