RAMBO: First Bytes

Sometimes it seems like there is someone around every digital corner trying to steal your personal information. So to stay safe online, we have grown accustomed to using antivirus and malware protection software, firewalls, complex passwords, multi-factor authentication, and other safety measures. But as the news headlines show us daily, these measures are not always enough. All too often, malicious hackers pull ahead of security researchers in this never-ending cat-and-mouse game.

When security is of paramount importance — perhaps in the case of protecting corporate intellectual property or secrets of nation states — the absolute safest option is to store data on air-gapped computers. These systems are not connected to any networks, either wired or wireless. Because they are inaccessible via a network (and especially the internet), a person must physically sit at a terminal to interact with them. Without gaining physical access, which is virtually impossible for most would-be hackers, these systems are almost completely impenetrable.

Almost. But as security researcher Mordechai Guri of Ben-Gurion University of the Negev demonstrated, nothing in this world is ever completely safe. In a recent paper, Guri showed that data can be covertly stolen from an air-gapped computer using a new exploit called the RAMBO attack. Rather than going through the front door to gather information via the normal channels, RAMBO instead relies on a side-channel attack that exploits the electromagnetic signals produced by a computer during normal operation. This attack can be used to steal encryption keys, files, images, biometric data, and anything else that is stored on the machine.

The RAMBO attack does start with a big ask for an air-gapped machine — malware must be installed on the system. Guri suggests that an insider could be persuaded to plug a USB drive into the system that, unbeknownst to them, installs the malware. If this hurdle can be cleared, then the malware can read or write RAM, which causes electromagnetic radiation to be emitted as signals flow through the address and data busses. By then modulating the patterns and rates at which RAM is accessed, the malware can encode data in the resulting electromagnetic emissions.

Once the system is transmitting data, it can be picked up remotely by a software-defined radio receiver. The received signals can be demodulated to reveal the sensitive data that was exfiltrated. The transfers may not be very fast at 1,000 bits per second, but that is sufficient to steal all sorts of private data.

The data transmission was tested at distances of up to about 20 feet, so the attacker does need to be relatively close to the air-gapped system. Between that and the requirement to install malware, RAMBO may not be a huge threat to systems that are being closely monitored for security purposes, but it is still certainly something to be aware of.

For those that are concerned about RAMBO-style attacks, Guri suggests some countermeasures that can foil the exploit. The system could be put inside a Faraday cage, for example, which would prevent radio signals from leaking out. Concerned parties could also run a process that randomly reads and writes RAM to interfere with any signals produced by potential malware. External radio jamming equipment would also stop RAMBO in its tracks.