A new side-channel attack technique named RAMBO has been discovered by Dr. Mordechai Guri from Ben Gurion University of the Negev that uses radio signals emitted by a device’s RAM to exfiltrate data, posing a threat to air-gapped networks.
According to a research paper published by Dr. Guri, malware can encode sensitive information such as files, images, keylogging, biometric data, and encryption keys using software-generated radio signals. This data can be intercepted using software-defined radio (SDR) hardware and a simple antenna to translate it back into binary form.
Dr. Guri has previously devised various methods to extract confidential data from offline networks, including using Serial ATA cables (SATAn), MEMS gyroscope (GAIROSCOPE), LEDs on network interface cards (ETHERLED), and dynamic power consumption (COVID-bit).
Other unconventional approaches by Dr. Guri include leaking data from air-gapped networks via covert acoustic signals generated by GPU fans (GPU-FAN), ultrasonic waves from built-in motherboard buzzers (EL-GRILLO), and printer display panels and status LEDs (PrinterLeak).
Last year, Dr. Guri demonstrated AirKeyLogger, a hardwareless radio frequency keylogging attack that utilizes radio emissions from a computer’s power supply to exfiltrate real-time keystroke data to a remote attacker.
In order to execute these attacks, the air-gapped network must first be compromised through other means such as a rogue insider, poisoned USB drives, or a supply chain attack.
The RAMBO attack manipulates RAM to generate radio signals at clock frequencies, encoding them using Manchester encoding and transmitting them for remote retrieval.
Countermeasures to mitigate the attack include implementing “red-black” zone restrictions, using intrusion detection systems, monitoring memory access at the hypervisor level, using radio jammers, and utilizing a Faraday cage.
