A novel side-channel attack has been identified that exploits the radio signals emitted by a device’s random access memory (RAM) to exfiltrate sensitive information, potentially compromising air-gapped networks.
The project’s innovative methodology has been codified and named by Dr. Mordechai Guri, a renowned expert and head of the offensive cyber analysis lab within the Department of Software and Information Systems Engineering at Israel’s Ben-Gurion University of the Negev.
“Malware exploits software-generated radio alerts to conceal sensitive data such as information, photographs, keystroke logs, biometric details, and encryption keys,” Dr. A groundbreaking study on Guri has been published.
“With software-defined radio (SDR) hardware and an off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance.” Alerts can be deciphered and reconverted into binary data.
Over time, Dr. Guri’s arsenal includes sophisticated techniques for exfiltrating sensitive data from offline networks, leveraging diverse components such as SATA cables, micro-electromechanical systems (MEMS) gyroscopes, and LED indicators on community interface cards, as well as monitoring dynamic energy consumption patterns.
Researchers have developed unorthodox methods to exfiltrate data from isolated networks, including exploiting GPU fans’ audible emissions, motherboards’ inherent buzzing sounds, and even printers’ display panels and LED indicators.
In 2022, researchers at Guri revealed a groundbreaking, hardware-free radio frequency (RF) keylogging attack, leveraging the unsuspecting radio signals emitted by a computer’s power supply to covertly transmit real-time keystrokes to an unauthorized receiver.
“To exploit sensitive data, the CPU’s clock rates are cleverly tampered with to produce a pattern of radio signals emanating from the encryption module, carefully synchronized with keyboard inputs,” “The keystroke information will be wirelessly transmitted from the remote location of several meters using an RF receiver or a smartphone equipped with a simple antenna.”
When sophisticated attacks like these unfold, it’s crucial for the air-gapped community to take the lead, much like a rogue insider, contaminated USB drives, or a supply chain attack – effectively enabling the malware to establish a clandestine information exfiltration channel.
The notorious RAMBO malware exploits vulnerabilities to control system memory, enabling it to broadcast radio signals at precise clock frequencies, which are then encrypted and transmitted for reception over long distances.
The encoded information encompasses keystroke data, paper-based records, and biometric details. As an attacker positioned on the opposing side, they can exploit Software-Defined Radio (SDR) technology to capture the electromagnetic signals emitted by the transmitter, demodulate the information contained within these signals, and ultimately extract the exfiltrated data.
“The malware exploits electromagnetic emissions from RAM to modulate data for transmission outside the device,” Dr. Guri stated. “A distant assailant equipped with a radio receiver and antenna can intercept the data transmission, demodulate the signal, and decipher it into its original binary or text-based format.”
The methodology could potentially be exploited to surreptitiously extract sensitive information from isolated computer systems equipped with Intel i7-3660 CPUs and 16GB of RAM at a rate of 1,000 bits per second, revealing that keystrokes are transmitted in real-time at a pace of 16 bits per key.
“According to Dr., a 4096-bit RSA encryption key is scheduled for exfiltration at 41.96 seconds, with a moderate tempo yielding 4.096 bits of data.” Guri stated. “Processing biometric data, along with minor documentation (JPEG files) and administrative paperwork (TXT, DOCX formats), typically takes around 400 seconds at slower speeds or significantly less time at faster processing rates.”
“While the RAMBO covert channel enables discreet transmission of relatively fleeting information over a short duration.”
To counteract the assault, imposing “red-black” zone restrictions on information transfer, coupled with the deployment of an intrusion detection system (IDS) that monitors hypervisor-level memory access, is crucial. Additionally, implementing radio jammers to disrupt wireless communications and incorporating a Faraday cage into the system’s security posture are essential measures to prevent unauthorized access and maintain network integrity.
