A new side-channel attack method has been uncovered, utilizing radio signals emitted from a device’s random access memory (RAM) to extract sensitive data, thereby posing significant risks to air-gapped networks. This technique, referred to as RAMBO—short for “Radiation of Air-gapped Memory Bus for Offense”—was developed by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab at Ben Gurion University of the Negev in Israel.
In his recently published research, Dr. Guri explains that malware can manipulate software-generated radio signals to encode and transmit sensitive information, including documents, images, keylogging data, biometric information, and encryption keys. The attack leverages software-defined radio (SDR) hardware and readily available antennas to intercept raw radio signals from a considerable distance, which can subsequently be decoded back into binary information.
Dr. Guri’s work extends beyond RAMBO, having previously introduced various techniques to exfiltrate data from isolated networks. These methods include the exploitation of Serial ATA cables, MEMS gyroscopes, graphics processing unit (GPU) fan noises, and even power consumption patterns to leak confidential information. Each method highlights the diverse and innovative strategies that can be employed to compromise systems believed to be secure.
In terms of specific techniques outlined in the MITRE ATT&CK framework, the RAMBO attack likely begins with initial access, potentially achieved through compromised insider activities or malware-laden USB devices. Once the air-gapped network is infiltrated, the malware manipulates the RAM to generate radio frequencies, which are then encoded to transmit data wirelessly. This effect can allow attackers to capture keystrokes and other sensitive data in real-time from a distance.
Under testing conditions, it was found that RAMBO could exfiltrate data, including documents and biometric information, at speeds of 1,000 bits per second on machines equipped with Intel i7 CPUs and 16GB of RAM. Notably, Dr. Guri calculated that a 4096-bit RSA encryption key could be transmitted in approximately 42 seconds at lower speeds. Such capabilities highlight the potential efficacy and immediacy of this attack vector.
The ramifications of this research are substantial, especially for organizations reliant on air-gapped systems for critical operations. Preventive measures recommended to mitigate these risks include implementing “red-black” zone restrictions for information transfer, employing intrusion detection systems, and utilizing Faraday cages to block electromagnetic emissions.
As the cybersecurity landscape continues to evolve, understanding these emerging tactics becomes increasingly vital for business owners. The research surrounding RAMBO serves as a stark reminder that even systems considered isolated can be vulnerable to sophisticated threats. With the continuous development of new techniques, remaining vigilant and proactive in cybersecurity practices is essential to safeguarding sensitive information.
