Attackers Can Use RAM To Steal Data From Air-Gapped Networks

Uploaded on 2024-10-03 in TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems has been identified.

The exploit is a novel side-channel attack that has been found to leverage radio signals emanated by a device's Random Access Memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks.

Air-gapped systems, typically used in mission-critical environments with exceptionally high-security requirements, such as governments, weapon systems, and nuclear power stations, are isolated from the public internet and other networks to prevent malware infections and data theft.

The technique has been codenamed RAMBO by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel. "Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys," Dr. Guri has said in a newly published research paper.

"With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information." Guri says.

The exploit does require that the air-gapped network is first compromised by using either an insider, poisoned USB drives, or a supply chain attack, thereby allowing the malware to trigger the covert data exfiltration channel.

RAMBO is no exception, in that the malware is used to manipulate RAM such that it can generate radio signals at clock frequencies, which are then encoded using Manchester encoding and transmitted so as to be received from a distance away. The encoded data can include keystrokes, documents, and biometric information. An attacker on the other end can then leverage SDR to receive the electromagnetic signals, demodulate and decode the data, and retrieve the exfiltrated information.

The technique could be used to leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the research found, with keystrokes being exfiltrated in real-time with 16 bits per key.

"A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed," Dr. Guri said. "Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds... This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period."

There are several defensive and protective measures that can be implemented to prevent the RAMBO attack. 

These counter measures to block the attack include enforcing "red-black" zone restrictions for information transfer, using an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to block wireless communications, and using a Faraday cage.

The Hacker News     |     Security Week     |     Bleeping Computers     |   Cornell University  |  Covert Channels   | 

Wikipedia

Image: Unsplash 

You Might Also Read: 

Quantum-Safe Encryption Comes Closer:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Remote Pager Attack Begins A New Era Of Warfare
Bristol Will Spend £3.2M On Municipal Cyber Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Leonardo

Leonardo

Leonardo (formerly Finmeccanica) is a global high-tech company in Aerospace, Defence, Security & Information Systems including Cybersecurity & ICT solutions.

SANS Institute

SANS Institute

SANS is the most trusted and by far the largest source for information security training and security certification in the world.

GlobalSign

GlobalSign

GlobalSign is an identity services company providing cloud-based, PKI solutions for enterprises needing to conduct safe commerce, communications, content delivery and community interactions.

Careers in Cyber Security (CiCS)

Careers in Cyber Security (CiCS)

CareersinCyberSecurity is a leading global job board and career resource for Cyber Security, IT Audit, Technology Risk and Data Protection professionals.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

Government Communications Security Bureau (GCSB)

Government Communications Security Bureau (GCSB)

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

Cancom

Cancom

CANCOM group is one of the leading providers of IT infrastructure and IT services in Germany and Austria. Solution areas include network security.

Very Good Security (VGS)

Very Good Security (VGS)

VGS is the modern approach to data security. Our SaaS solution gives you all the benefits of interacting with sensitive and regulated data without the liability of securing it.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

Navaio IT Security

Navaio IT Security

Navaio helps clients with IT Security related challenges with a primary focus on Identity and Access Management, Data Governance, User Awareness and Cyber Resilience Services.

ConvergeOne

ConvergeOne

ConvergeOne is a leading global IT services provider of collaboration and technology solutions including cybersecurity.

Hawk Network Defense

Hawk Network Defense

HAWK.io is the First Fully Automated, Multi-Tenant, Cloud-Based, MDR Service Company.

Grayshift

Grayshift

Grayshift is the leading provider of mobile device digital forensics, specializing in lawful access and extraction.

SubRosa Cyber Solutions

SubRosa Cyber Solutions

SubRosa Cyber Solutions solves its clients’ most tenacious information security, risk and compliance challenges through a multitude of information technology services and expertise.

QGroup

QGroup

QGroup has been re-designing the consultancy industry since 2012. We're a rapidly expanding group of consulting companies that deliver bespoke IT services including cybersecurity.

Cyrex

Cyrex

Cyrex is a Web3 security and development company. Our mastery over decentralized applications, smart contracts and blockchain will keep you secure across Web3.