Exploits

RAMBO Side-Channel Attack Exploits RAM Signals to Steal Air-Gapped Data

Published  ·  3 min read
Updated on September 11, 2024

A novel side-channel attack has emerged, utilizing radio signals emitted by a device's random access memory (RAM) to exfiltrate sensitive data from air-gapped networks. This newly discovered technique, called RAMBO (Radiation of Air-gapped Memory Bus for Offense), was revealed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab at Ben Gurion University of the Negev, Israel.

The RAMBO attack relies on software-generated radio signals to encode sensitive information, such as files, images, keystrokes, biometric data, and encryption keys. "Malware can use these signals to exfiltrate data without needing hardware beyond a simple antenna and SDR (software-defined radio) hardware," Dr. Guri explained in his research paper.

By intercepting these raw radio signals from a distance, attackers can decode the emissions and convert them back into binary information. The technique is highly effective at breaching air-gapped systems, which are usually isolated from external networks for security purposes.

 

A History of Creative Attacks

Dr. Guri has pioneered several other techniques to extract data from air-gapped systems. Some of these methods include:

  • SATAn: Leveraging Serial ATA cables.
  • GAIROSCOPE: Exploiting MEMS gyroscopes.
  • ETHERLED: Using LEDs on network interface cards.
  • COVID-bit: Utilizing dynamic power consumption.

He has even devised methods to exfiltrate data via GPU fan-generated acoustic signals (GPU-FAN) and motherboard buzzers (EL-GRILLO). His creative approaches extend to leaking data from printer display panels and status LEDs (PrinterLeak).

In 2023, Dr. Guri demonstrated AirKeyLogger, a hardwareless keylogging attack that uses radio emissions from a computer’s power supply to transmit real-time keystroke data remotely.

 

RAMBO Attack Details

Like previous attacks, RAMBO requires prior compromise of the air-gapped network, typically through tactics such as rogue insiders, malicious USB drives, or supply chain attacks. Once the malware is introduced, it manipulates the RAM to generate radio signals at clock frequencies, using Manchester encoding to transmit data.

The exfiltrated information can range from keystrokes, documents, and biometric data. A remote attacker equipped with an SDR receiver can intercept these signals, decode them, and retrieve the sensitive information. The malware takes advantage of the electromagnetic emissions from RAM, allowing attackers to receive and decode data into its original format.

Dr. Guri's research shows that the RAMBO technique can extract data at a rate of 1,000 bits per second. For example, real-time keystrokes can be transmitted at a rate of 16 bits per key. Additionally, a 4,096-bit RSA encryption key could be leaked in just 41.96 seconds at a low speed. Small files, such as images and documents, can be transmitted in under 400 seconds.

 

Countermeasures

To mitigate the risks of a RAMBO attack, several countermeasures can be implemented, including:

  • Red-Black Zone Restrictions: Limiting the transfer of sensitive information.
  • Intrusion Detection Systems (IDS): Monitoring for unusual activity at the hypervisor level.
  • Radio Jammers: Blocking wireless communications.
  • Faraday Cages: Shielding equipment from electromagnetic emissions.

These measures can help protect sensitive air-gapped systems from unauthorized data exfiltration via RAMBO and other similar side-channel attacks.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067