{"id":52235,"date":"2024-09-26T16:46:59","date_gmt":"2024-09-26T20:46:59","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52235"},"modified":"2024-09-26T16:47:34","modified_gmt":"2024-09-26T20:47:34","slug":"rambo-pixhell-methods","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/rambo-pixhell-methods\/52235\/","title":{"rendered":"New ways data can be stolen from air-gapped systems"},"content":{"rendered":"<p>How can information be transferred from a computer that\u2019s connected neither to the internet nor a local network? For many years now, Israeli researcher Mordechai Guri has been on a mission to uncover the exotic methods with which attackers could do precisely that to steal data. And we\u2019ve always been there to <a href=\"https:\/\/www.kaspersky.com\/blog\/jumping-over-air-gap\/35894\/\" target=\"_blank\" rel=\"noopener nofollow\">cover<\/a> his research. Recently, Guri published two new scientific papers within four days of each other. In the first, he demonstrates how to turn a computer into a radio transmitter by manipulating data loading into RAM; in the second \u2014 how to use an ordinary computer monitor as an \u201cacoustic spy\u201d.<\/p>\n<h2>Hypothetical situation<\/h2>\n<p>Guri\u2019s papers all tackle the same scenario:<\/p>\n<ul>\n<li>A computer stores or processes highly classified data.<\/li>\n<li>To ensure the security of this data, the system is isolated from the network, and even located in a separate room with restricted access.<\/li>\n<li>The hypothetical attacker knows how to install data-snatching malware on the computer, and now needs to exfiltrate this data.<\/li>\n<\/ul>\n<p>The task of infecting an isolated computer is tricky \u2014 but by no means impossible. One way is to take advantage of a careless operator who inadvertently plugs an infected flash drive into the \u201csecret\u201d computer (a depressingly realistic scenario). Another, theoretically possible, way is to plant malware in the system in advance: at the factory or during delivery to the customer. The simplest way is to bribe a company employee. However, to exfiltrate the data, the cybervillains need deploy side-channel attacks.<\/p>\n<h2>RAMBO<\/h2>\n<p>In the <a href=\"https:\/\/arxiv.org\/pdf\/2409.02292\" target=\"_blank\" rel=\"nofollow noopener\">first<\/a> paper, Guri describes a way to turn ordinary memory modules into a radio transmitter \u2014 a so-called RAMBO attack. It\u2019s no secret that all electronic systems make \u201cnoise\u201d in one way or another during operation; that is, they emit spurious signals. Random access memory (RAM) is no exception: changing the voltage supplied to RAM modules to update data generates radio waves. In the case of a RAMBO attack, it\u2019s malware that initiates a data write to RAM. What matters is not the kind of data but the intensity of the operation. By accessing the modules in bursts alternated with pauses, and catching radio emissions at a certain frequency, it\u2019s possible to create a channel for covert data transmission.<\/p>\n<div id=\"attachment_52236\" style=\"width: 1373px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/09\/26163239\/rambo-pixhell-methods-spectrogram.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-52236\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/09\/26163239\/rambo-pixhell-methods-spectrogram.png\" alt=\"Spectrogram of radio emission from memory\" width=\"1363\" height=\"946\" class=\"size-full wp-image-52236\"><\/a><p id=\"caption-attachment-52236\" class=\"wp-caption-text\">Spectrogram of radio emission from RAM. <a href=\"https:\/\/arxiv.org\/pdf\/2409.02292\" target=\"_blank\" rel=\"noopener nofollow\">Source<\/a><\/p><\/div>\n<p>The image above shows what it looks like. Accessing memory generates radiation at a frequency of about 975 kilohertz. The moments when data is written to memory and the \u201csilent\u201d periods are clearly distinguishable. The result is something like Morse code \u2014 only slightly more complicated: the data here is encoded using two different methods. The bottom graph uses a simple amplitude modulation, and the top one uses a slightly more complex <a href=\"https:\/\/en.wikipedia.org\/wiki\/Manchester_code\" target=\"_blank\" rel=\"nofollow noopener\">Manchester code<\/a>. The latter has some advantages when it comes to decrypting the data later on.<\/p>\n<p>The key question in any such study is always the same: how effective is the method? Guri managed to achieve reliable data transmission at speeds of up to 1000 bits per second (bps). By the standards of modern data communication, that\u2019s snail-like; however, it\u2019s perfectly sufficient to, say, transmit keystrokes to the attacker in real time. More importantly, this exfiltration method works at a distance of up to seven meters.<\/p>\n<p>We\u2019ve already <a href=\"https:\/\/www.kaspersky.com\/blog\/air-fi-data-exfiltration\/38310\/\" target=\"_blank\" rel=\"noopener nofollow\">covered<\/a> a similar method designed by the same researcher, which also relies on spurious radiation from RAM modules. But in that case, Guri used a different data-transfer frequency \u2014 2.4 gigahertz (GHz) \u2014 and the speed was 10 times slower: no more than 100bps. The new method is more effective, although the previous one has a key advantage: wireless data networks operate at 2.4 GHz, and many household devices also use this frequency band. This potentially allows attackers to hide their spying activities in radio noise.<\/p>\n<h2>PIXHELL<\/h2>\n<p>Guri\u2019s second <a href=\"https:\/\/arxiv.org\/pdf\/2409.04930\" target=\"_blank\" rel=\"nofollow noopener\">paper<\/a> proposes a wholly different method of data exfiltration \u2014 though it\u2019s based on the same core principles. Besides spurious radio emissions, electronic components can also emit sound. The PIXHELL attack method relies on barely audible noise produced by the electronic components found in a typical computer monitor. This acoustic noise is caused by a change in the voltage supplied to, say, capacitors in an electrical circuit.<\/p>\n<p>One strategy for manipulating this noise is to output a sequence of black-and-white rows to the screen; something like this:<\/p>\n<div id=\"attachment_52237\" style=\"width: 1637px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/09\/26163348\/rambo-pixhell-methods-pattern.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-52237\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/09\/26163348\/rambo-pixhell-methods-pattern.jpg\" alt=\"Bitmap patterns output to the monitor\" width=\"1627\" height=\"239\" class=\"size-full wp-image-52237\"><\/a><p id=\"caption-attachment-52237\" class=\"wp-caption-text\">Bitmap patterns output to the monitor for covert data transmission. <a href=\"https:\/\/arxiv.org\/pdf\/2409.04930\" target=\"_blank\" rel=\"noopener nofollow\">Source<\/a><\/p><\/div>\n<p>Each of the on-screen patterns causes the monitor\u2019s electronic components to sound at a certain frequency. What Guri did in essence was to turn the display into a very quiet, very low-quality loudspeaker. The downside of this method is that its results vary depending on the model of the display: each has its own particular electronic circuitry, and so the intensity of spurious acoustic noise varies:<\/p>\n<div id=\"attachment_52238\" style=\"width: 802px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/09\/26163431\/rambo-pixhell-methods-amplitude.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-52238\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2024\/09\/26163431\/rambo-pixhell-methods-amplitude.jpg\" alt=\"Amplitude of acoustic signals\" width=\"792\" height=\"616\" class=\"size-full wp-image-52238\"><\/a><p id=\"caption-attachment-52238\" class=\"wp-caption-text\">Amplitude of acoustic signals emitted by the monitor, against the background of other noise. <a href=\"https:\/\/arxiv.org\/pdf\/2409.04930\" target=\"_blank\" rel=\"noopener nofollow\">Source<\/a><\/p><\/div>\n<p>Looking at the spectrograms of the acoustic signals from four different monitors, we\u2019re interested in the sloping lines, which represent noise with variable frequency. Everything else is other noise from the display, which is sure to drown out the \u201cuseful\u201d data. We can conclude that the Samsung monitor and TV noise is louder than the other two devices. What remains is choosing the most suitable frequency and transmitting data on it using one of the available encoding methods.<\/p>\n<p>What\u2019s interesting about this method is that a regular smartphone can serve as a receiver. Unlike the previous study, there\u2019s no need for an expensive (and possibly suspicious) radio receiver. But there\u2019s also a downside: the scheme works reliably at a distance of no more than two meters from the display. Moreover, the phone should be held directly next to the monitor, or, at the very least, be lying nearby on the table. The speed of a theft would also be horribly slow \u2014 no more than 20bps.<\/p>\n<p>Besides, the operator would surely be puzzled by their screen displaying black-and-white ripples. Guri\u2019s paper thus considers a situation where data exfiltration occurs at night: the computer (and monitor) are working, but there\u2019s no one in the room. However, covert transmission in the presence of humans (who may spot an anomaly) is acknowledged as doable \u2014 by reducing the brightness of the display or subtly superimposing the patterns onto another image.<\/p>\n<h2>Countering RAMBO and PIXHELL attacks<\/h2>\n<p>Guri proposes countermeasures for designers of maximum-security systems. In the case of RAMBO, spurious radio emissions should be isolated against interception \u2014 for which he suggests using a computer case capable of shielding all radio waves. For processing sensitive data, shielding the entire room is also an option.<\/p>\n<p>The PIXHELL attack seems less reliable, but it\u2019s also hard to defend against \u2014 except by filling the room with random noise. As ever, it\u2019s vital to <a href=\"https:\/\/www.kaspersky.com\/next?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____a8c0f733e524af27\" target=\"_blank\" rel=\"noopener nofollow\">stop unwanted software from running<\/a>. One major takeaway from Mordechai Guri\u2019s numerous works is that finding malware on a machine is a lot easier than guarding against all possible methods of side-channel data exfiltration.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>Two fresh papers on the art of data exfiltration in scenarios where it seems utterly impossible.<\/p>\n","protected":false},"author":665,"featured_media":52239,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[4613,4607],"class_list":{"0":"post-52235","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-data-exfiltration","11":"tag-side-channel-attack"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/rambo-pixhell-methods\/52235\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/rambo-pixhell-methods\/38285\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/rambo-pixhell-methods\/28318\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/side-channel-attack\/","name":"side-channel attack"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52235"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52235\/revisions"}],"predecessor-version":[{"id":52242,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52235\/revisions\/52242"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52239"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}