A new side-channel attack has been found to use radio signals emanating from a device’s random access memory (RAM) as a data-stealing mechanism, posing a threat to air-gapped networks.
The equipment received a code name RAMBO Dr. Mordechai Guri, Head of the Offensive Cyber Research Laboratory, Department of Software Engineering and Information Systems, Ben-Gurion University of the Negev in Israel.
“Using radio signals generated by the software, malware can encode sensitive information such as files, images, keylogs, biometric information and encryption keys,” said Dr. Guri. said in a recently published research paper.
“Using software-defined radio (SDR) hardware and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. These signals can then be decoded and translated back into binary information.’
For many years, Dr. Guri has invented various mechanisms for extracting sensitive data from offline networks using Serial ATA cables (SATAN), MEMS gyroscope (GYROSCOPE), LEDs on network cards (ETHERLED), and dynamic power consumption (The COVID bit).
Some of the other unconventional approaches developed by researchers involve leaking data from air-gapped networks via hidden acoustic signals generated by graphics processing unit (GPU) fans (GPU fan), (ultra)sound waves created by the built-in buzzers of the motherboard (EL GRILL), and even the printer display panels and status LEDs (PrinterLeak).
Guri also demonstrated last year AirKeyLoggera non-hardware RF keylogging attack that uses radio emissions from a computer’s power supply to transmit real-time keystroke data to a remote attacker.
“To leak sensitive data, CPU operating frequencies are manipulated to generate an electromagnetic radiation pattern from the power supply that is modulated by keystrokes,” Guri noted in the study. “Information about keystrokes can be received several meters away via a radio frequency receiver or a smartphone with a simple antenna.”
As always with attacks of this nature, the first thing to do is to air-gap the net compromised through other means – such as a rogue insider, poisoned USB drives, or a supply chain attack – that allows malware to run a hidden channel of data theft.
RAMBO is no exception in that the malware is used to manipulate RAM so that it can generate radio signals at clock frequencies that are then encoded using Manchester Coding and transmitted so as to be received from afar.
Encoded data can include keystrokes, documents and biometric information. An attacker can then use the SDR to receive electromagnetic signals, demodulate and decode the data, and retrieve the stolen information.
“The malware uses the electromagnetic radiation of RAM to modulate information and transmit it to the outside,” said Dr. Guri. “A remote attacker with a radio and an antenna can receive the information, demodulate it, and decode it into the original binary or text representation.”
The study found that this technique could be used to leak data from air-gapped computers running Intel i7 3.6GHz processors and 16GB of RAM at 1000 bits per second, with keystrokes deleted in real time time with 16 bits per key.
“A 4096-bit RSA encryption key can be stolen in 41.96 seconds at low speed and 4.096 bits at high speed,” said Dr. Ghuri. “Biometrics, small files (.jpg) and small documents (.txt and .docx) require anywhere from 400 seconds on low to a few seconds on high.”
“This suggests that the RAMBO covert channel can be used to leak relatively short amounts of information over a short period of time.”
Countermeasures to block the attack include enforcing red-black zone restrictions for information transmission, using an intrusion detection system (IDS), monitoring memory access at the hypervisor level, using radio jamming to block wireless communication, and using a Faraday cage.
