Researchers snoop data from air-gapped PC's RAM sticks by monitoring EM radiation from 23 feet away

News
By published

'RAMBO' attack exploits a weakness present in almost every electronic device.

RAM sticks
(Image credit: Shutterstock)

A team of Israeli university researchers from Ben Gurion University, led my Mordechai Guri, has developed a way for an air-gapped computer to transmit data wirelessly using the electromagnetic transmissions emitted by its RAM sticks, reports BleepingComputer. An air-gapped PC is a computer that is not connected to any network — whether ethernet, Wi-Fi, Bluetooth, or any other form of remote data connection. Theoretically, this would make it next to impossible to get data from that device without the attacker gaining physical access to it.

However, Guri and their team have found a way to exploit the weakness of every electronic computer — its electromagnetic transmissions — to exfiltrate data without a wired or wireless connection. This type of attack, called RAMBO or Radiation of Air-gapped Memory Bus for Offense, is executed by installing malware on the target PC. It will then run an On-Off Keying (OOK) attack, which will surreptitiously switch signals rapidly within the RAM.

Since electronic devices (like the RAM sticks) always emit radio frequency signals, no matter how minute, the attacker could then intercept the back-and-forth switching of radio signals coming from the RAM through a Software-Defined Radio and record it as binary information.

In tests, RAMBO could only move data at around 128 bytes per second (0.125 KB/s), which is rather slow (around 450 kilobytes per hour) compared to the massive amounts of data we casually transmit today. However, it could still be useful for stealing text files, keystrokes, passwords, and even small, low-resolution images.

Since this type of attack isn’t monitored by most security products, there would be no way to detect it if it’s happening. The hardest part for nay attacker would be to install the malware on the air-gapped system. Most likely some kind of social engineering technique, like a dropped USB stick would be used. That may sound improbable but it was the suspected attack vector used in the Stuxnet attacks against Iran.

Once the targeted computer has been affected, the attacker needs to be nearby to record the radio frequency (RF) emissions. The receiving device should be at most three meters (or 10 feet) away from the target for fast and real-time transmissions. On the other hand, medium-speed transmissions work up to 4.5 meters (or 15 feet), and slow transmissions are viable up to seven meters or 23 feet away.

While the attacker needs to have a nearby receiver to gather the RF data from its target, espionage agencies have time and again proven their skill of infiltrating even the most secure places to place data-gathering devices.

This isn’t the first time that Guri has developed novel and unusual ways to exfiltrate data. Their team has developed cyberattacks that targeted PSUs, monitor brightness, PC fan vibrations, and even the SATA cable. However, the sophistication required for this attack means that the average computer user would likely be unaffected. After all, the resources involved with RAMBO would likely not make it worth it for stealing credit card or social security numbers. But if you’re a government entity using an air-gapped PC to control your country’s nuclear missiles, then you better watch out.

Jowi Morales
Jowi Morales
Contributing Writer

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

13 Comments Comment from the forums
  • ex_bubblehead
    This has been known for decades and is very impractical given the limited range.
    Reply
  • Steve Nord_
    23' isn't limited range much, being 7 m. Still very close to nuclear munition example; I'm having second thoughts about running guest VM on my hypersonic armada (necessarily 'very close' on a frequent basis altitude aside, right?)
    Reply
  • ex_bubblehead
    The signals are so weak that they won't easily pass through a nearby wall, meaning that one must be in the same room which renders such snooping moot. This doesn't even require minimal tempest hardening (a simple aluminum screen material on or in the wall and grounded will kill the signal dead).
    Reply
  • newtechldtech
    this might work against home users cases with alot of glass open spaces , but will not work against standard business or workstation or server machines , the case cover itself works like a faraday cage.
    Reply
  • SyncroScales
    espionage agencies have time and again proven their skill of infiltrating even the most secure places to place data-gathering devices.
    You find someone in debt, an alcoholic, drug-user, someone wanting a friend at a church or invite them to social situations. Train them a little bit, obviously and don't tell them anything. Or certain bloodlines that do not pay taxes and are celebrity or political families. They have younger relatives that will learn what to do or to become managers. Everyone went to school with their nieces and nephews, children or cousins. Scientologists and the entertainment industries, western or non-western have done it for a long time. Some really enjoy participating and have reasons why they do it. The agencies are a little more efficient. It's wrong when they have targeted civilians.

    this might work against home users cases with alot of glass open spaces , but will not work against standard business or workstation or server machines , the case cover itself works like a faraday cage.

    Is this a trend with how homes and condos or commercial spaces are intentionally designed? How about passing inspections with public infrastructure? Open space concepts are nice sometimes. Cutting costs and raising prices or materials also works.
    Reply
  • Oblivion77
    In regard of similar articles

    https://www.techradar.com/pro/security/rambo-attack-uses-ram-in-air-gapped-computers-to-steal-data
    https://www.neowin.net/news/researchers-warn-about-new-satan-that-can-hack-air-gapped-pcs-using-sata-cables/
    https://www.f5.com/labs/articles/cisotociso/attacking-air-gap-segregated-computers
    1.
    Could my data be stolen throuh the charger cord aswell?

    2.
    Would brick walls, windows etc., prevent the "hacker device" from receiving the crucial RF-signals from the targeted system?

    3.
    Those mentioned devices that can hack air-gapped systems, are they easily available to the average hacker?

    4.
    Could a not-jailbroken Iphone be hacked, and used as the RF-receiver?

    5.
    What measurements can I implement, to make sure my air-gapped system doesn't get hacked?

    6.
    All the mentioned methods of hacking an air-gapped system, is it NSA-level or something the average hacker could do?

    Thank you
    Reply
  • ex_bubblehead
    These exploits require that there be at least one person with physical access to get the ball rolling. If someone has that access then the exploit isn't needed in the first place.
    Reply
  • USAFRet
    Oblivion77 said:
    In regard of similar articles

    https://www.techradar.com/pro/security/rambo-attack-uses-ram-in-air-gapped-computers-to-steal-data
    https://www.neowin.net/news/researchers-warn-about-new-satan-that-can-hack-air-gapped-pcs-using-sata-cables/
    https://www.f5.com/labs/articles/cisotociso/attacking-air-gap-segregated-computers
    1.
    Could my data be stolen throuh the charger cord aswell?

    2.
    Would brick walls, windows etc., prevent the "hacker device" from receiving the crucial RF-signals from the targeted system?

    3.
    Those mentioned devices that can hack air-gapped systems, are they easily available to the average hacker?

    4.
    Could a not-jailbroken Iphone be hacked, and used as the RF-receiver?

    5.
    What measurements can I implement, to make sure my air-gapped system doesn't get hacked?

    6.
    All the mentioned methods of hacking an air-gapped system, is it NSA-level or something the average hacker could do?

    Thank you
    5. This requires malware to be installed and running

    6. This is NOT an 'average hacker' thing. No one is going to be sitting in your driveway, or the apartment next door, snooping your data.
    Reply
  • stonecarver
    USAFRet said:
    . This is NOT an 'average hacker' thing. No one is going to be sitting in your driveway, or the apartment next door, snooping your data.
    Maybe not this exact method the story outlines but this IS what I had to deal with and yes people do go to these same MO's the only thing you missed was the jumping over the block wall to get in my back yard.

    When I think about how easy it would have been to put malware on my computer if I went to the bathroom and never noticed as this person would have been back on the couch and I would have not even thought twice.

    If this below average hacker had the knowledge or information the method in this story It would have been used.

    Most likely will not happen to 99.9% of people but never dismiss that 1%
    Reply
  • Oblivion77
    ex_bubblehead said:
    These exploits require that there be at least one person with physical access to get the ball rolling. If someone has that access then the exploit isn't needed in the first place.
    Physical access so to install malware on the targeted system?

    What about the method with SATA-cables, does it also require physical access to the targeted system first, for it to work?
    Reply