Background
Prominent researcher Mordechai Guri of the Ben-Gurion University of the Negev, Israel, recently released a research paper detailing a new method that allows attackers to steal sensitive information from air-gapped(isolated) computers.
Air-gapped systems are systems that are physically separated from external networks, including the Internet. This is achieved by keeping the system disconnected from any wired or wireless networks and preventing them from communicating with any other device or network in any way.
Air-gapping a system is considered one of the best ways to ensure its security but, as is true with any system, it can still be breached. Here are a few examples of prominent methods and tools used in the past to breach air-gapped networks:
- Stuxnet: A highly sophisticated worm and one of the most popular air-gap malware. It targeted industrial control systems, particularly those used in nuclear facilities, by exploiting zero-days, infected USBs, and other vulnerabilities to jump the air gap.
- Agent.BTZ: Another worm with advanced capabilities designed to target air-gapped systems. This worm was specifically designed to spread through USB flash drives. Its list of victims includes classified networks of the US Department of Defense.
Accessing an air-gapped system despite the measures taken to prevent this is called “Jumping” the air-gap.
To exfiltrate information from an air-gapped computer, attackers use special communication channels, e.g. optical signals, acoustic noise, and physical vibrations. The RAMBO attack relies on the radio signals that can be generated by manipulating a computer’s Random Access Memory(RAM).
The RAMBO Attack
Attacks on isolated networks involve multi-phase strategies. The first phase usually is the infection of the isolated system with some form of specialised malware. This can be done through various channels such as physical media or insider agents. Once the malware is introduced into the system and activated, it must propagate through the isolated system and exfiltrate data while evading detection and covering its tracks. It is in this phase that the RAMBO technique comes into play. To exfiltrate data from an isolated system is not as easy as connecting to a remote attacker-controlled server and uploading it there. Due to their complete isolation from the outside world, a whole other host of techniques come into play when dealing with exfiltration from isolated systems.
Covert channel: Name given to special communication channels used to communicate with air-gapped networks mentioned in the background section.
The RAMBO attack utilises electromagnetic emissions from the RAM to modulate the information and transmit it outward. The electromagnetic emission from the RAM functions similarly to a radio transmission and hence can be received by an attacker using a radio receiver and an antenna. The attacker must then demodulate and decode the signal back into binary or textual representation.
When data is read from or written to the memory, it involves rapid voltage and current changes in the RAM bus which create electromagnetic fields. These fields can radiate energy through Electromagnetic Interference(EMI) or Radio Frequency Interference(RMI). To create an EM covert channel, the transmitter needs to modulate memory access patterns in a way that corresponds to binary data. This functions similarly to Morse code, in the sense that the sender and receiver transmit and receive zeros and ones based on predetermined rules by manipulating memory access patterns of the physical memory.
Conclusion
The importance of an air-gapped system can be understood by examining the critical environments in which they are utilized. Air-gapped systems are essential in sectors that require heightened security, such as military installations, government agencies, and financial institutions. The RAMBO attack represents a significant advancement in the field of air-gap jumping techniques. By leveraging the electromagnetic emissions from a computer’s RAM, malware can transmit sensitive data from isolated systems to nearby receivers. This attack highlights the need for continuous innovation in defensive strategies to keep up with the evolving landscape of cybersecurity threats.
Understanding the vulnerabilities of air-gapped systems is crucial for recognizing potential threats to organizations and individuals. For instance, those who rely on air-gapped wallets for secure asset storage should be aware that even these systems can be compromised. The RAMBO attack demonstrates that no system is entirely invulnerable. By being informed about such risks, people can make more discerning choices about where to entrust their assets and how to protect them from emerging cybersecurity threats.