RAMBO Attack: New Air-Gap Exploit

AI created, human edited.

In a recent episode of Security Now, host Steve Gibson delved into a fascinating new side-channel attack dubbed "RAMBO" (RAM-Based Output). This innovative exploit, developed by researcher Mordechai Guri at Israel's Ben-Gurion University of the Negev, demonstrates how even air-gapped systems can be vulnerable to data exfiltration through unexpected means.

RAMBO is a technique that allows malware to generate radio signals from a computer's RAM (Random Access Memory) buses. These signals can be used to encode and transmit sensitive information such as files, keystrokes, biometric data, and encryption keys. Using off-the-shelf software-defined radio (SDR) hardware and a simple antenna, an attacker can intercept these signals from a distance and decode them back into binary information.

Key Points:

1. Transmission Speed: RAMBO can leak data at up to 1000 bits per second. While this may seem slow, it's more than sufficient to transmit critical information like cryptographic keys in just a few seconds.

2. Range: The researchers demonstrated successful signal reception at distances up to 700 centimeters (23 feet).

3. Encoding: The attack uses Manchester encoding, a self-clocking system that ensures reliable data transmission even with slight timing variations.

4. Stealth: Forensic analysts would find it difficult to identify the code generating these radio signals as malicious, as it appears to be doing nothing unusual.

Air-gapped systems, physically isolated from external networks, have long been considered a gold standard for security. However, RAMBO joins a growing list of creative attacks that challenge this assumption. As Gibson points out, the widespread use of encryption has concentrated immense value into small amounts of data (like encryption keys), making even low-bandwidth exfiltration techniques potentially devastating.

Gibson reminds listeners that air-gap attacks aren't new. He cites examples like Stuxnet and Agent.BTZ, which used infected USB drives to breach isolated networks. RAMBO represents an evolution in these techniques, exploiting fundamental properties of computer hardware to create a covert communication channel.

The attack manipulates RAM access patterns to generate electromagnetic emissions. By carefully timing memory read and write operations, the malware can modulate these emissions to encode binary data. The use of Manchester encoding ensures reliable transmission and helps the receiver maintain synchronization with the transmitter.

While not extensively discussed in the episode, Gibson hints at the importance of TEMPEST-hardened devices. These incorporate shielding and other countermeasures to prevent information-leaking electromagnetic emissions.

The RAMBO attack serves as a stark reminder that security is an ever-evolving challenge. As our systems become more complex and interconnected, we must remain vigilant against increasingly creative and subtle attack vectors. Even air-gapped systems, once thought nearly impenetrable, may require additional safeguards against these novel side-channel attacks.

Subscribe to Club TWiT and get ad-free versions of Security Now and all your other favorite podcasts!