Researchers turn RAM into radio antenna, beaming secrets from air-gapped system


Even an isolated computer in a sealed room can be accessed by an outsider with a cheap antenna, exploiting a new RAMBO attack.

Governments and institutions such as banks rely on air-gapped systems, isolated from the internet, for their most critical and sensitive operations or data. However, offline mainframes are not immune to external threats, according to a paper by Dr. Mordechai Guri, a researcher at Ben-Gurion University of the Negev, Israel.

The researcher abused the random access memory (RAM) bus of a computer to generate radio signals and transmit data. In theory, this method could be exploited by external attackers to intercept and steal sensitive data without any internet or physical access to the air gap system.

ADVERTISEMENT

The researcher dubbed this attack RAMBO, or Radiation of Air-gapped Memory Bus for Offense.

“Malware on a compromised computer can generate radio signals from memory buses (RAM). Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys. With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance,” the researcher said.

The achieved bandwidth was 1000 bits per second, meaning that it would take almost 100 days to download 1GB of data.

An attacker would still need to infect the target computer with malware to make this electromagnetic transmission possible. Air gap systems are physically and logically isolated from any networks or communication channels.

Yet multiple incidents have demonstrated that air-gapped networks are not immune to breaches. Stuxnet was one of the most famous malware strains that managed to cross this boundary.

More than twenty-five malware variants were discovered in the past to target air-gapped systems, including USBStealer, Agent.BTZ, Fanny, MiniFlame, Flame and others. Malicious code could be brought via USB, compromised updates, or other media.

Once compromised, the system’s RAM bus, which consists of electrical lines connecting the processor to memory modules, starts transmitting data via electromagnetic waves, which can be intercepted by a remote attacker.

hack-demonstration
An air-gap workstation transmits a secret image of Optimus Prime.
ADVERTISEMENT

“When data is transferred through a RAM bus, it involves rapid voltage and current changes, mainly in the Data bus. These voltage transitions create electromagnetic fields, which can radiate electromagnetic energy through electromagnetic interference (EMI) or radio frequency interference (RFI),” the researcher explains in a paper.

Using a computer with an Intel i7 3.6GHz CPU and 16GB of RAM running at 2.133 - 2.400 GHz frequency, Guri demonstrated that small files could be transferred in around 400 seconds over a distance of 7 meters (23 feet). The bandwidth is enough to run a keylogger in real-time. Smaller distances would yield speed increases.

“This method could be used to exfiltrate arbitrary types of information, such as keystroke logging, files, images, biometric data, etc.” the researcher warned.

“With this method, attackers can leak data from highly isolated, air-gapped computers to a nearby receiver at a bit rate of hundreds of bits per second.”

The paper also provides some measures to counteract such attacks, such as zone restrictions, host intrusion detection systems, external electromagnetic spectrum monitoring, internal RAM operation jamming, radio reductions, and Faraday enclosures.