New RAMBO attack steals data using RAM in air-gapped computers

A new attack called "RAMBO" (Radiation of Air-gapped Memory Bus for Offense) has been discovered, capable of stealing data by exploiting RAM in air-gapped computers. These attacks utilize electromagnetic radiation emitted from the computer’s memory to transfer data from systems isolated from the internet.

What are air-gapped systems?

Air-gapped systems are typically used in highly sensitive environments such as governments, military facilities, and nuclear power plants. These systems are not connected to the internet or any public network, making them resistant to most hacking attempts. However, they remain vulnerable to physical infiltration, such as malicious software being introduced via USB drives or through sophisticated supply chain attacks conducted by state-sponsored entities.

How does the RAMBO attack work?

The RAMBO attack works by planting malicious software on the air-gapped computer to collect sensitive data and prepare it for transmission. The attack exploits memory access patterns (read and write operations) to generate electromagnetic emissions from the computer’s RAM. These emissions are produced by rapidly switching electrical signals within the memory using a technique called On-Off Keying (OOK), encoding data into electromagnetic signals.

The attacker can then use a simple device like a Software-Defined Radio (SDR) with an antenna to capture these emissions and decode the data into readable information. The data is encoded as "1" and "0" in the signals, and the researchers used Manchester coding to ensure accurate transmission and reduce errors.

Attack performance and limitations

The RAMBO attack can transmit data at speeds of up to 1,000 bits per second, which equates to 128 bytes per second, or 0.125 KB per second. While this speed is relatively slow, it’s sufficient for stealing small amounts of data like text, keystrokes, and small files.

For instance, keylogging can be performed in near real-time, while stealing a password takes between 0.1 to 1.28 seconds. Extracting a 4096-bit RSA key takes between 4 to 42 seconds, and transferring a small image may take between 25 and 250 seconds, depending on transmission speed.

In terms of range, the attack can work within a maximum distance of 3 meters (9.8 feet) with a bit error rate between 2% and 4%. This range can be extended to 4.5 meters (14.7 feet) with the same error rate, while slower transmissions with nearly zero error can work reliably up to 7 meters (23 feet).

The researchers also tested transmission speeds up to 10,000 bits per second, but they found that anything beyond 5,000 bits per second results in a low signal-to-noise ratio, rendering data transmission ineffective.

Preventing the RAMBO attack

The researchers provided several mitigation techniques to counter the RAMBO attack and similar electromagnetic-based covert channel attacks, though these techniques come with their own trade-offs. Recommendations include strict zoning restrictions to enhance physical security, memory jamming to disrupt the electromagnetic signals, and using Faraday cages to block electromagnetic radiation from air-gapped systems.

The researchers tested the RAMBO attack on virtual machines running sensitive processes, and it remained effective even in such environments. However, due to the interaction between the host memory, operating system, and other virtual machines, it’s likely that the attack would be disrupted more quickly in these scenarios.

Conclusion

The RAMBO attack represents a new threat to air-gapped systems by exploiting electromagnetic emissions from RAM to steal sensitive data. Despite its limitations in speed and range, the attack poses a significant risk for stealing small amounts of critical information.