Analysis Summary

A new side-channel attack has been discovered that exploits radio signals emitted by a random access memory (RAM) device to exfiltrate data, endangering networks that are separated by air.

This technique was discovered by researchers, who said that malware can encrypt sensitive data, including files, photos, keylogging, biometric data, and encryption keys, using software-generated radio signals. A basic off-the-shelf antenna and software-defined radio (SDR) technology allow an attacker to remotely intercept transmitted raw radio signals. After that, the signals can be decoded and converted back into binary data.

The researchers have developed several methods over the years to retrieve sensitive information from offline networks by utilizing dynamic power consumption (COVID-bit), LEDs on network interface cards (ETHERLED), MEMS gyroscopes (GAIROSCOPE), Serial ATA cables (SATAn), and MEMS gyroscopes. Other non-traditional methods that the researchers came up with include using hidden acoustic signals from GPU fans (GPU-FAN), (ultra)sonic waves from motherboard buzzers (EL-GRILLO), and even printer display panels and status LEDs (PrinterLeak) to leak data from air-gapped networks.

They also gave a demonstration of AirKeyLogger last year. This hardwareless radio frequency keylogging attack uses radio emissions from a computer's power supply as a weapon to steal real-time keyboard data and send it to an attacker who is located elsewhere. The working frequencies of the CPU are altered to produce an electromagnetic emission pattern from the power unit that is modulated by keystrokes, thereby leaking sensitive data. With an RF receiver or a smartphone with a basic antenna, the keystroke data can be obtained from several meters away.

As is typical with attacks of this nature, for the malware to initiate the covert data exfiltration channel, the air-gapped network must first be breached via other techniques, such as a supply chain attack, rogue insider, or contaminated USB devices. RAMBO is similar to other malware in that it uses RAM manipulation to produce radio signals at clock frequencies. These signals are then encoded using Manchester encoding and sent out to be received at a distance.

Documents, biometric data, and keystrokes are examples of encoded data. The information that was exfiltrated can subsequently be recovered by an attacker using SDR to receive the electromagnetic signals, demodulate and decode the data, and so on. The malware modifies the data and transmits it outside by using electromagnetic emissions from the RAM. The information can be received, demodulated, and decoded into its original binary or textual representation by a distant attacker equipped with a radio receiver and antenna.

The investigation discovered that keystrokes may be exfiltrated in real-time with 16 bits per key, allowing data to be leaked from air-gapped machines with Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second. Both a low-speed and high-speed exfiltration of a 4096-bit RSA encryption key is possible in 41.96 seconds for a 4096-bit key. A few seconds at fast rates, up to 400 seconds at low speeds, are needed for biometric data, small images (.jpeg), and small documents (.txt and.docx).

This suggests that relatively short information leaks over short timeframes can be achieved via the RAMBO covert channel. Enforcing "red-black" zone limitations for information transfer, utilizing an intrusion detection system (IDS), keeping an eye on hypervisor-level memory access, employing radio jammers to obstruct wireless connections, and utilizing a Faraday cage are some countermeasures to stop the attack.

Impact

• Data Exfiltration
• Sensitive Data Theft
• File Encryption

Remediation

• Organizations must test their assets and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.