Researchers snoop data from air-gapped PC's RAM sticks by monitoring EM radiation from 23 feet away

RAM sticks
(Image credit: Shutterstock)

A team of Israeli university researchers from Ben Gurion University, led my Mordechai Guri, has developed a way for an air-gapped computer to transmit data wirelessly using the electromagnetic transmissions emitted by its RAM sticks, reports BleepingComputer. An air-gapped PC is a computer that is not connected to any network — whether ethernet, Wi-Fi, Bluetooth, or any other form of remote data connection. Theoretically, this would make it next to impossible to get data from that device without the attacker gaining physical access to it.

However, Guri and their team have found a way to exploit the weakness of every electronic computer — its electromagnetic transmissions — to exfiltrate data without a wired or wireless connection. This type of attack, called RAMBO or Radiation of Air-gapped Memory Bus for Offense, is executed by installing malware on the target PC. It will then run an On-Off Keying (OOK) attack, which will surreptitiously switch signals rapidly within the RAM.

Since electronic devices (like the RAM sticks) always emit radio frequency signals, no matter how minute, the attacker could then intercept the back-and-forth switching of radio signals coming from the RAM through a Software-Defined Radio and record it as binary information.

In tests, RAMBO could only move data at around 128 bytes per second (0.125 KB/s), which is rather slow (around 450 kilobytes per hour) compared to the massive amounts of data we casually transmit today. However, it could still be useful for stealing text files, keystrokes, passwords, and even small, low-resolution images.

Since this type of attack isn’t monitored by most security products, there would be no way to detect it if it’s happening. The hardest part for nay attacker would be to install the malware on the air-gapped system. Most likely some kind of social engineering technique, like a dropped USB stick would be used. That may sound improbable but it was the suspected attack vector used in the Stuxnet attacks against Iran.

Once the targeted computer has been affected, the attacker needs to be nearby to record the radio frequency (RF) emissions. The receiving device should be at most three meters (or 10 feet) away from the target for fast and real-time transmissions. On the other hand, medium-speed transmissions work up to 4.5 meters (or 15 feet), and slow transmissions are viable up to seven meters or 23 feet away.

While the attacker needs to have a nearby receiver to gather the RF data from its target, espionage agencies have time and again proven their skill of infiltrating even the most secure places to place data-gathering devices.

This isn’t the first time that Guri has developed novel and unusual ways to exfiltrate data. Their team has developed cyberattacks that targeted PSUs, monitor brightness, PC fan vibrations, and even the SATA cable. However, the sophistication required for this attack means that the average computer user would likely be unaffected. After all, the resources involved with RAMBO would likely not make it worth it for stealing credit card or social security numbers. But if you’re a government entity using an air-gapped PC to control your country’s nuclear missiles, then you better watch out.

Jowi Morales
Contributing Writer

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

  • ex_bubblehead
    This has been known for decades and is very impractical given the limited range.
    Reply
  • Steve Nord_
    23' isn't limited range much, being 7 m. Still very close to nuclear munition example; I'm having second thoughts about running guest VM on my hypersonic armada (necessarily 'very close' on a frequent basis altitude aside, right?)
    Reply
  • ex_bubblehead
    The signals are so weak that they won't easily pass through a nearby wall, meaning that one must be in the same room which renders such snooping moot. This doesn't even require minimal tempest hardening (a simple aluminum screen material on or in the wall and grounded will kill the signal dead).
    Reply
  • newtechldtech
    this might work against home users cases with alot of glass open spaces , but will not work against standard business or workstation or server machines , the case cover itself works like a faraday cage.
    Reply
  • SyncroScales
    espionage agencies have time and again proven their skill of infiltrating even the most secure places to place data-gathering devices.
    You find someone in debt, an alcoholic, drug-user, someone wanting a friend at a church or invite them to social situations. Train them a little bit, obviously and don't tell them anything. Or certain bloodlines that do not pay taxes and are celebrity or political families. They have younger relatives that will learn what to do or to become managers. Everyone went to school with their nieces and nephews, children or cousins. Scientologists and the entertainment industries, western or non-western have done it for a long time. Some really enjoy participating and have reasons why they do it. The agencies are a little more efficient. It's wrong when they have targeted civilians.

    this might work against home users cases with alot of glass open spaces , but will not work against standard business or workstation or server machines , the case cover itself works like a faraday cage.

    Is this a trend with how homes and condos or commercial spaces are intentionally designed? How about passing inspections with public infrastructure? Open space concepts are nice sometimes. Cutting costs and raising prices or materials also works.
    Reply