Latest Assault: RAMBO Method Exploits RAM Radio Signals for Data Theft from Isolated Networks

AndyC 10 September 2024

Sep 09, 2024Ravie LakshmananVulnerability / Hardware Security

An innovative covert attack has unveiled the exploitation of radio signals emitted by a device’s random access memory (RAM) as a method for data exfiltration, presenting a risk t

New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

Sep 09, 2024Ravie LakshmananVulnerability / Hardware Security

New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

An innovative covert attack has unveiled the exploitation of radio signals emitted by a device’s random access memory (RAM) as a method for data exfiltration, presenting a risk to isolated networks.

The strategy has been dubbed RAMBO by Dr. Mordechai Guri, the leader of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel.

“By using software-generated radio signals, malicious software can encrypt sensitive data like files, pictures, keystrokes, biometric details, and encryption keys,” Dr. Guri expressed in a recently released research article.

“With software-defined radio (SDR) equipment and a basic off-the-shelf antenna, an attacker can intercept transmitted unprocessed radio signals from a distance. These signals can then be deciphered and converted back into binary data.”

Cybersecurity

Across the years, Dr. Guri has devised diverse mechanisms to extract sensitive data from offline networks by utilizing Serial ATA cables (SATAn), MEMS gyroscope (GAIROSCOPE), LEDs on network interface cards (ETHERLED), and dynamic power consumption (COVID-bit).

Some of the unconventional strategies crafted by the researcher involve leaking data from isolated networks through hidden acoustic signals generated by graphics processing unit (GPU) supporters (GPU-FAN), (ultra)sonic waves emitted by built-in motherboard buzzers (EL-GRILLO), and even printer display panels and status LEDs (PrinterLeak).

Previously, Guri also showcased AirKeyLogger, a hardware-free radio frequency keystroke logging assault that weaponizes radio emissions from a computer’s power supply to steal real-time keystroke data to a distant attacker.

“To disclose confidential data, the processor’s operational frequencies are manipulated to create a sequence of electromagnetic emissions from the power unit altered by keystrokes,” Guri remarked in the research. “The keystroke details can be picked up from distances of several meters away via an RF receiver or a smartphone with a basic antenna.”

Just like other attacks of its nature, it necessitates the isolation of the network to be initially breached through alternate methods – like a deceitful insider, contaminated USB drives, or a supply chain assault – thereby enabling the malware to activate the hidden data exfiltration channel.

RAMBO is not an exception since the malicious software is utilized to alter RAM in such a way that it generates radio signals at clock frequencies, which are later encoded using Manchester encoding and transmitted to be received from a distance.

The encoded information can incorporate keystrokes, documents, and biometric details. An attacker on the receiving end can leverage SDR to pick up the electromagnetic signals, demodulate and decode the data, and retrieve the stolen information.

Cybersecurity

“The malware employs electromagnetic emissions from the RAM to modify the information and transmit it externally,” Dr. Guri highlighted. “A remote attacker equipped with a radio receiver and antenna can grasp the information, demodulate it, and decode it into its original binary or text form.”

The technique could be utilized to leak data from isolated computers operating Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, as discovered in the research, with keystrokes being exfiltrated in real-time at 16 bits per key.

“A 4096-bit RSA encryption key can be stolen in 41.96 seconds at a slow speed and 4.096 bits at a higher speed,” Dr. Guri mentioned. “Biometric information, small files (.jpg), and small documents (.txt and .docx) necessitate anywhere from 400 seconds at low speeds to a few seconds at high speeds.”

“This points towards the fact that the RAMBO hidden channel can be employed to leak relatively concise information over a brief period.”

Approaches to thwart the attack encompass enforcing “red-black” zone constraints for data transfers, utilizing an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to halt wireless communications, and deploying a Faraday cage.

Discovered this content fascinating? Connect with us on Twitter and LinkedIn for more exclusive updates we share.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025
Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

AndyC 18 December 2025
APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

AndyC 18 December 2025
New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

AndyC 18 December 2025

You may have missed

Hospital Ransomware Really is The Pitt

How CISOs Can Beat the Ransomware Blame Game 

AndyC 18 December 2025
Using AI to automatically cancel customers? Not a smart move

2026 Cyber Predictions: Accelerating AI, Data Sovereignty, and Architecture Rationalization 

AndyC 18 December 2025
Smashing Security podcast #448: The Kindle that got pwned

Smashing Security podcast #448: The Kindle that got pwned

AndyC 18 December 2025
What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek

Private Certificate Authority 101: From Setup to Management

AndyC 18 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.