RAMBO Attack: Air-Gapped Systems No Longer Safe
Scientists from an Israeli university have developed a novel cyberattack technique known as “RAMBO” (Radiation of Air-gapped Memory Bus for Offense). This method enables attackers to transmit data from air-gapped computers via electromagnetic emissions generated by the computer’s memory operations.
Systems within critical sectors, such as government agencies, nuclear facilities, and military systems, typically employ an air gap to ensure the highest level of security. Air-gapped systems are not connected to the internet or other networks, minimizing the risk of malware infection and data leakage. However, even these systems can be compromised if malware is introduced physically, for example, through USB drives or sophisticated supply chain attacks.
The RAMBO technique allows an attacker to exploit the memory of a compromised computer to transmit confidential information. Malware installed on the air-gapped system creates specific patterns of memory reads and writes, which in turn generate controlled electromagnetic emissions. These signals can be intercepted using relatively inexpensive radio receivers equipped with antennas.
During the RAMBO attack, data is encoded into binary format — “1” and “0,” where a signal is activated for one and deactivated for zero. Manchester coding is employed to enhance signal synchronization and minimize transmission errors.
The data transfer rate using the RAMBO method reaches up to 1,000 bits per second, equivalent to 128 bytes per second. While this does not allow for the transmission of large amounts of data, it is sufficient for stealing textual information, passwords, RSA keys, and small files. For instance, stealing a password requires only 0.1 to 1.28 seconds, while transmitting an image takes between 25 and 250 seconds.
The transmission range depends on signal speed and reception quality. At maximum speed, data can be transmitted up to one meter with minimal error; at medium speed, up to 1.5 meters; and at low speeds, with nearly zero errors, the range extends up to 7 meters. Attempts to increase the speed to 10,000 bits per second resulted in significant signal-to-noise ratio degradation, rendering data transmission ineffective.
To mitigate RAMBO attacks, researchers have proposed several countermeasures, including physical restrictions on access to air-gapped systems, using memory signal jamming systems, deploying external devices to suppress radio signals, and installing Faraday cages to prevent electromagnetic emissions from escaping the protected area.
Notably, the RAMBO attack remains effective even in virtualized environments. Although interactions between the host and virtual machines may disrupt transmission stability, the method has proven functional under such conditions.