A new attack side-channel exploits radio signals emitted by a device’s random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks; the technique was named RAMBO by Dr. Mordechai Guri, head of the Cyber Offensive Research Laboratory at the Department of Information Systems and Software Engineering at Ben Gurion University of the Negev in Israel (the Israeli equivalent of CISA, so to speak).
RAMBO: What is it exactly and what are its effects?
“Using software-generated radio signals, malware can encrypt sensitive information such as files, images, keystrokes, biometric data, and encryption keys.“, has declared Dr. Guri in a new research study, adding that “With the hardware of a software-defined radio (SDR) and a simple commercial antenna, an attacker can intercept raw radio signals transmitted from some distance away. These signals can then be decoded and translated back into binary information..“
Over the years, Dr. Guri has developed various mechanisms to extract confidential data from offline networks, exploiting Serial ATA cables (SATAN), MEMS gyroscopes (GAIROSCOPE), network card LEDs (ETHERLED) and dynamic energy consumption (COVID bit).
Some other unconventional approaches devised by the researcher include data leakage from isolated networks via hidden beeps generated by graphics processing unit fans (GPU-FAN), (ultra)sonic waves produced by the buzzers integrated into the motherboards (THE GRILLO), and even printer display panels and status LEDs (PrinterLeak).
Last year, Dr. Guri also demonstrated AirKeyLoggera hardwareless radio frequency keylogging attack that exploits radio emissions from a computer’s power source to exfiltrate real-time keystroke data to a remote attacker.
“To leak confidential data, the processor’s operating frequencies are manipulated to generate a pattern of electromagnetic emissions from the power supply unit, modulated based on keystrokes.,” Dr. Guri noted in the study. “Information about keystrokes can be received at distances of several meters via an RF receiver or a smartphone with a simple antenna.“
RAMBO Hacker Attack: You Need to Act In Person, Not Remotely
As always with attacks of this nature, the isolated network must have been previously compromised by other means, such as a malicious insider, infected USB sticks or an attack on distribution chainthus allowing the malware to activate the hidden data exfiltration channel.
RAMBO is no exception: The malware is used to manipulate RAM so that it can generate radio signals at clock frequencieswhich are then encoded using the Manchester coding and transmitted so as to be received at a distance.
The encoded data can include keystrokes, documents, and biometric information. An attacker on the other side can then use the SDR to receive the electromagnetic signals, demodulate them, and decode the data, thus recovering the exfiltrated information.
RAMBO and electromagnetism
“The malware uses electromagnetic emissions from the RAM to modulate information and transmit it outside,” said Dr. Guri. “A remote attacker with a radio receiver and antenna can receive the information, demodulate it, and decode it back into its original binary or text representation..”
The technique could be used to leak data from isolated computers equipped with 3.6GHz Intel i7 processors and 16GB of RAM at a speed of 1,000 bits per second; Keystrokes can be exfiltrated in real time at 16 bits per key.
Regarding the RAMBO attack, DR. Guri claims: “A 4096-bit RSA encryption key can be exfiltrated in 41.96 seconds at low speed and 4.096 seconds at high speed,” explained Dr. Guri. “Biometric information, small files (.jpg) and small documents (.txt and .docx) require 400 seconds at low speed and a few seconds at the highest speeds..”
The researcher then states that: “This indicates that the RAMBO covert channel can be used to leak relatively short amounts of information in a limited period of time.“
Countermeasures to block the attack include applying “red-black” restrictions on information transfer, using an intrusion detection system (IDS), monitoring memory access at the hypervisor level, using radio jammers to block wireless communications, and using a Faraday cage.
Origin of the name RAMBO
The name RAMBO is an acronym that stands for “Radio Access Memory Broadcast Over”; was chosen by Dr. Mordechai Guri to evoke the image of a powerful and unexpected attack, similar to the character of John Rambo in action movies and this name emphasizes the malware’s ability to exploit RAM radio emissions to transmit sensitive data, making the attack particularly insidious and difficult to detect.
The parallel with the RAMBO malware is that this attack also acts invisibly, bypassing security barriers. and “fighting” against the defenses of isolated networks to extract sensitive information.
#RAMBO #Type #Hacker #Attack #Exploits #RAM
