Attackers Can Use RAM To Steal Data From Air-Gapped Networks

Uploaded on 2024-10-03 in TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems has been identified.

The exploit is a novel side-channel attack that has been found to leverage radio signals emanated by a device's Random Access Memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks.

Air-gapped systems, typically used in mission-critical environments with exceptionally high-security requirements, such as governments, weapon systems, and nuclear power stations, are isolated from the public internet and other networks to prevent malware infections and data theft.

The technique has been codenamed RAMBO by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel. "Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys," Dr. Guri has said in a newly published research paper.

"With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information." Guri says.

The exploit does require that the air-gapped network is first compromised by using either an insider, poisoned USB drives, or a supply chain attack, thereby allowing the malware to trigger the covert data exfiltration channel.

RAMBO is no exception, in that the malware is used to manipulate RAM such that it can generate radio signals at clock frequencies, which are then encoded using Manchester encoding and transmitted so as to be received from a distance away. The encoded data can include keystrokes, documents, and biometric information. An attacker on the other end can then leverage SDR to receive the electromagnetic signals, demodulate and decode the data, and retrieve the exfiltrated information.

The technique could be used to leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the research found, with keystrokes being exfiltrated in real-time with 16 bits per key.

"A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed," Dr. Guri said. "Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds... This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period."

There are several defensive and protective measures that can be implemented to prevent the RAMBO attack. 

These counter measures to block the attack include enforcing "red-black" zone restrictions for information transfer, using an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to block wireless communications, and using a Faraday cage.

The Hacker News     |     Security Week     |     Bleeping Computers     |   Cornell University  |  Covert Channels   | 

Wikipedia

Image: Unsplash 

You Might Also Read: 

Quantum-Safe Encryption Comes Closer:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Data Centres Given Critical National Infrastructure Status In Britain
Protecting Company Data From The Risks Of Remote Working »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyren

Cyren

Cyren is a cloud-based, Internet security technology company providing threat detection and security analytics.

ISACA

ISACA

ISACA is a global professional association and learning organization for members who work in information security, governance, assurance, rissk and privacy.

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

Splunk

Splunk

Splunk provide real-time Security Information & Event Management solutions for Enterprise Networks, Cloud and small-scale IT environments

Copenhagen FinTech

Copenhagen FinTech

Copenhagen FinTech is a centre for R&D and innovation in the Danish finance IT sector. Focus areas include cyber security and payments platforms.

TechDefence Labs

TechDefence Labs

TechDefence Labs provide pentesting and security assessment services for networks, web apps, mobile apps and source code reviews.

Ensign InfoSecurity

Ensign InfoSecurity

Ensign InfoSecurity is Southeast Asia’s largest pure-play cybersecurity firm.

InterVision

InterVision

InterVision is a leading Strategic Services Provider, assisting businesses in driving value and gaining a competitive edge by helping IT Leaders solve the most crucial challenges they face.

Practical Assurance

Practical Assurance

Practical Assurance helps companies navigate the rough terrain of information security compliance.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

Privafy

Privafy

Privafy helps mobile service providers, IoT manufactures , and enterprises redefine the way they protect Data-in-Motion.

Redpoint Security

Redpoint Security

Redpoint Security is an application security consulting firm that is focused on all aspects of code security.

Oligo Security

Oligo Security

Oligo aims to streamline the usage of open source by making it secure and easy to protect. Through focusing developers on the relevant vulnerabilities we make the fixing process significantly shorter.

ASRC Federal

ASRC Federal

ASRC Federal’s mission is to help federal civilian, intelligence and defense agencies achieve successful outcomes and elevate their mission performance.

Francisco Partners

Francisco Partners

Francisco Partners provide capital, expertise, and support for growth-aspiring technology companies.

eTech S.C.

eTech S.C.

eTech specialize in a broad range of technology solutions, including software development, cybersecurity, infrastructure, and IT outsourcing (ITO) services.