An academic researcher has devised a new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems.
According to Mordechai Guri from Ben-Gurion University of the Negev in Israel, malware can be used to encode sensitive data that can be captured from a distance using software-defined radio (SDR) hardware and an off-the-shelf antenna.
The attack, named RAMBO (PDF), allows attackers to exfiltrate encoded files, encryption keys, images, keystrokes, and biometric information at a rate of 1,000 bits per second. Tests were conducted over distances of up to 7 meters (23 feet).
Air-gapped systems are physically and logically isolated from external networks to keep sensitive information safe. While offering increased security, these systems are not malware-proof, and there are at tens of documented malware families targeting them, including Stuxnet, Fanny, and PlugX.
In new research, Mordechai Guri, who published several papers on air gap-jumping techniques, explains that malware on air-gapped systems can manipulate the RAM to generate modified, encoded radio signals at clock frequencies, which can then be received from a distance.
An attacker can use appropriate hardware to receive the electromagnetic signals, decode the data, and retrieve the stolen information.
The RAMBO attack begins with the deployment of malware on the isolated system, either via an infected USB drive, using a malicious insider with access to the system, or by compromising the supply chain to inject the malware into hardware or software components.
The second phase of the attack involves data gathering, exfiltration via the air-gap covert channel – in this case electromagnetic emissions from the RAM – and at-distance retrieval.
Guri explains that the rapid voltage and current changes that occur when data is transferred through the RAM create electromagnetic fields that can radiate electromagnetic energy at a frequency that depends on clock speed, data width, and overall architecture.
A transmitter can create an electromagnetic covert channel by modulating memory access patterns in a way that corresponds to binary data, the researcher explains.
By precisely controlling the memory-related instructions, the academic was able to use this covert channel to transmit encoded data and then retrieve it at a distance using SDR hardware and a basic antenna.
“With this method, attackers can leak data from highly isolated, air-gapped computers to a nearby receiver at a bit rate of hundreds bits per second,” Guri notes.
The researcher details several defensive and protective countermeasures that can be implemented to prevent the RAMBO attack.
Related: LF Electromagnetic Radiation Used for Stealthy Data Theft From Air-Gapped Systems
Related: RAM-Generated Wi-Fi Signals Allow Data Exfiltration From Air-Gapped Systems
Related: NFCdrip Attack Proves Long-Range Data Exfiltration via NFC
Related: USB Hacking Devices Can Steal Credentials From Locked Computers
