new attack leaks secrets using RAM as a radio
ฝัง
- เผยแพร่เมื่อ 18 ก.ย. 2024
- The RAMBO Attack on RAM is truly amazing. Some of the best research I've seen.
www.covertchan...
arxiv.org/pdf/...
www.wired.com/...
• researchers find an un...
• researchers find unfix...
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥 SOCIALS 🔥
Come hang out at lowlevel.tv
can you hear the courses at lowlevel.academy :O ? (they're on sale?! :O)
hello
Can you make a video about the freeBds CVE-2024-43102?
Ever heard of TEMPEST?!
@@LowLevelLearning i could add a noise maker to cancel out any sniffing.
It would cost extra electricity but it would certainly stop "sniffers". Like mixing smells... Good luck distinguishing...
This isnt new. You can do the same thing with cpus and this was reported around 8 years ago
we got ram sniffing before gta 6
Get your nose out of my RAM! 😉
@@killer_game_real6805 😂😂😂
What I liked about debates was that trump didn't sniff anyone
😂
@@araz911 Why would he? That's what our current president is known for.
Jokes on him, I'm wrapping my whole damn PC in aluminum foil. Who needs airflow when it's a security risk?
To nit pick, use copper foil. Works better at higher frequencies.
Wrap yourself too, they might try the same trick on YOU!
@@BumfluffAddlepatethe one that are allowed to read my mind, will die of cringe
You really need half inch thick lead plating. Works much better.
Underwater my friend, Underwater
I mean if you're compromised at that level you have bigger problems than ram noise 😅
I think you are misunderstanding the issue. This demonstrates that RAM writes can be read from a distance. This method is expressly exfiltrating data with actual results, but could be an indicator of the possibility of reading ALL writes to RAM without needing a specialized program on the target system.
@@privacyvalued4134 but its useless without the local installed we xxploit
it's kind of a proof of concept. not necessarily useful at this point.
@@privacyvalued4134no
Yeah, but if there's attacker inside by this method he can tracelessly extract ram data
I can see how that could be used in some attacks from inside like when factory employees dug a tunnel under factory to leak apple designs and secrets
Edit: near tracelessly as it requires system to be infected
McNally: 'But your computer can always be opened with... Another computer!'
*Throws a Mac at another Mac, opening both*
uh ohhh, macghettiooo
Please don't try that with any CRT Mac. ;__;
Zoolander moment
@@Xe4ro "This is an iMac G3. It can be opened with another iMac G3... or by dropping it from a sufficient height."
Oh Come on!!!! FUCK IT! THROWING ALL TECH IN THE TRASH AND TURNING AMISH!
...who did you piss off THAT bad?
You don't have to go THAT extreme...
Just throw out all your tech.
Why? This only works if they previously had access to the airgapped system to put malware on it. And that point you've already lost. This isn't even a vulnerability it's just...a science fair project.
Just put your PC into Faraday cage if you are worried
Next year: Learning your password from the clip-clop of your horses' hooves.
This is technically called Van Eck Phreaking. It was first used in the 80s to eavesdrop on the images rendered on CRT monitors by listening to the RF given off by the cathode ray. Legend has it that the BBC used this technique to figure out who was using TVs without a loicense back in the day. Pretty neat!!
Came here to say this, it's an old method, new tricks.
There is a reason classified spaces are Faraday cages...
@@alexandermarvin9536they were already Faraday cages to stop potential RF broadcasting since the existence of the transistor.
So in england in the eighties you had to have a license to operate a television? I know I'm missing something here lol
@HashCracker you're not gonna believe this...
They made fun of me hearing data barely two decades ago
i know this is probably a joke, but i'm pretty sure this still doesn't make any audible sound, only electromagnetic "noise"
What’s that skip? Bzzzzbzzbzzzz
He’s down the well?!
This is not a joke, you can totally hear what some hardware is doing.
For example I used to hear this specific sound when my mouse was moving or my drive was reading data, on old drives you could totally hear what stage of the boot process devices were at...
For example unlocking the old PATA drives by hot swapping them I always did by ear.
Either way it doesn't matter if someone says you are crazy, there might just be something...
@@sjoervanderploeg4340 Yes, you're describing auditory experience of hearing acoustic noise, carried in the form of propagating mechanical wave-fronts, which some hardware does make. The electromagnetic noise referred to in the video is a form of electromagnetic radiation, which is not acoustic and can't be heard by listening for sounds. The word "noise" in this case is not describing acoustic sound.
@@sjoervanderploeg4340your absolutely right. While people usually either can't hear that kind of stuff or just don't pay attention to it it definitely does make a noise. More prevalent on older hardware though. Even so you can still hear the hum, whines, and screeches of newer stuff even without the obvious mechanical stuff being a source ( disk drives, and CRT screens are the usual culprit.) What the newer stuff still emits is usually related to the power supply, as the transformer for SMPS will still screech, some times you'll hear the rapid change in power draw of a CPU as it does a task switch (this affects the frequency and amplitude of the power supply hum.) Sometimes it's interference from said hardware affecting output devices like beepers, speakers or even the screen. So yeah you can totally hear electronics if you listen in a quiet place.
"Hacker holding their phone next to the mainframe while a progress bar fills just in time to escape the faraday cage before security shows up" movie writers were ahead of their time. Pack it up security experts, it's time to admit that Hollywood was right.
Sigh. We're sorry Hollywood. You guys were actually on to something...
i kneel.......
Which I hate, but is true.
There has been the ability to capture data wirelessly for a long time. It is just that the data you get is fairly corrupt, you have to be very close, and it usually requires very sensitive receivers.
This however, requires specialized malware already installed on the device and then it's so much easier. It just has to find a way to transmit the data. And you can encode data in all kinds of ways. Basically, this is just sending binary signals by ramping up and down the RAM to create distinguishable spikes of emf noise. Which is entirely different than picking up the data that is currently going through an uninfected device.
life imitates art
Gonna need vacuum gaps now, nay Faraday Cage gaps
Hackers will then figure out how to decode the gravity waves generated by your finger movenents while typing, just for the lulz.
@@_Safety_Third_interdimensional space gaps, ez
Electromagnetic waves pass through vacuum just fine
@@GM-zt6tiI see, we now can extract all of secrets through that small LED in the computer 😂😂😂
Edit: I was just making a joke, but I have seen some attacks that legit do that
FYI. Lasers can be used to listen and light can pass through vacuum gaps.
My heart skipped a beat when I saw the thumbnail. Thought there was a vulnerability with them specifically. Literally just had Corsair vengeance ram delivered today lol.
@@durvius2657 also have them, now have to put black tape over the leds too so it does communicate via strobing lights😂🙈
actually since the corsair has double protection of both tin-foil hat(cooling plates) and LED lights that produce a lot of noice in sequence, especially when in some disco mode. I would think this is impossible to filter out.
I used to work in a physics lab. We would get noise from everywhere to the point that some experiments had to be done during the week end because they would otherwise pick up signals from neighboring labs. As an example, not having things properly grounded could generate noise since electricity might start moving between ground states and this can create RF signals. We also twisted the cables together so electricity going in one direction would cancel out the noise from electricity going in the other direction.
Point is, you'd be surprised just how easy it is to create electric noise. I wonder if we will start putting computers in Faraday cages or something (for computers doing sensitive stuff, that is).
that's not what twisting does, the other wire is grounded, you're basically inducing eddy currents and creating an inverted signal, they either cancel out or amplify, which make the signal stand out against he noise, basically cancelling it. it is not energy going back in the other direction, they are going in the same direction in parallel.
actual robust signaling, like USB even use differential signaling, which is actually putting the signal and the inverted signal in a twisted pair.
ethernet CAT cables also use twisting for that, but they don't transmit current, they transmit magnetic fields, a network card is basically a half-transformer on one side of the cable and a half-transformer on the other side of the cable on the other network card.
you don't need to put computers in a faraday cage, the problem is ground loops, you just need to use isolating power transformers.
computers are already faraday cages kind of, you just have to ground them. unless you have a plastic case, but they are usually aluminum
@@monad_tcp Honestly, I was simplifying for TH-cam because I couldn't be bothered writing things out correctly. Point is, noise comes from everywhere if you aren't careful... And if you have a quantum device as part of the experiment that can pick up basically anything because how sensitive it is, any source of noise can be an issue. Iirc, for some experiments, a normal mobile phone was a problem because it just being turned on could interfere with the experiment. They also aimed to use lasers with a sub 1 Hz bandwidth (might even have been aiming for the sub mHz range).
EDIT:
Now that I read your reply more carefully, I realize the explanation I got was also a bit simplified. I'm a (former) physics student and the PhD students were primarily physicists, so I guess our electrical engineering stuff was simplified because we were mostly focused on the optical and quantum side of things.
Computers doing important stuff to be put in faraday cages? That's already the case and has been. It's called a hardware security module lol
You kind of glossed over it.. but the computer has to be infected by their malware first before it starts transmitting data from RAM noise.
So.. you'd have to have a man on the inside to load your malware to the air gaped system.. and if you have someone on the inside already anyways...
Stuxnet didn't need someone on the inside to eventually get into an air-gapped system.
Except places like SCIFS are locked down to make data exfiltration as hard as possible. No USB drives, DVD drives that are read only, software to monitor and alert if anything unauthorized is connected, and other things.
Data exfiltration is still a part of the pipeline, and that's what this guy's team specializes in.
Came here to comment this. He proved that it can be done but with artificial data. In the real world with random days following in and out of ram I doubt it.
Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch Congaflock (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information). Already in the Hard Drivin arcade machine a microcontroller for the driving physics algorithm contains a mode than morses the manufacturer copyright message over the air as AM radio to make it possible to identify piracy of the internal software.
I know guys with security clearances that work in air gapped labs. No internet, no USB, no Bluetooth and faraday caged to a point. If you can get the payload into the hard drive somehow, you still have to get sensitive data out. If all it takes is an inconspicuous radio receiver, then you just have to compromise some OSS (polyfill, anyone?) or other software package used and leak out the data.
i like this guy, he thinks outside the box, if I'm not mistaken he found a way to hack to computers by the sound of the electrolytic capacitors of motherboards, absolute insanity.
It's not thinking outside of the box. He's rehashing the same idea; did you see his published papers? It's the same concept but attacking different components of the PC.
I also don't believe it's revolutionary to listen to EM waves... when was the first crystal radio invented? The 19th century?
@@natealbatros3848 contextually, it isn't THAT out of the box. i'll still give him massive props for the work, but all of this still roots back to TEMPEST. TEMPEST isn't exactly a novel idea, it's just niche.
Brilliant!
in theory you can do various kind of exfiltration if you can modulate the info and receive it. like you can morse the admin password with the numlock key or hdd activation led if you have clear line of sight to the machine (i've seen BIOS level malware doing this kind of attack), you can periodically pin the cpu to 100% and create noise in the vrms (like a capacitor/coil you mentioned) or even by periodically manipulate the fan speed, it's even audible trough a phone call combined with social engineering... back in the day there vas a virus that could play a melody trough the floppy drive's servos, i wasn't that useful for this purpose per se, but if you have initial physical access, you can do all kind of creative hacks.
My oldcard actualöy emitted music from some components😂
I discover something similar around 2002, when I learn programming I found that executing loops in console application it produce some audible noice in speakers along with producing interference to the broadcast radio station. Back then I do not know that I can change pitch by changing loop time. Similar effect was used also in Altair 8800 to produce sound
WoOah Black Betty! - 7:45
@@GrahenKraken goated comment 😆
rambalamb!
This is how governments have been recording data using your phones as listening devices for computers that are not even external network facing devices.
Mobile radio networks this way may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
How do you even figure out you can do this? 😭
fr
Someone went "dude wouldn't it be wild if..." and then it worked
basic electronics. A higher current means a higher magnetic field. Which could be detected. They are finding ways to raise currents in different hardware devices then use it to send data.
@@jeremymcadams7743 I'd like to think their brainstorming sessions are just like getting baked and figuring out the craziest hypotheticals.
I mean a lot of people have considered the possibility. any wire is also an antenna, including the traces in your motherboard, so many people have considered it.
Years ago, during a discussion about AI threats, I threw out what was supposed to be a completely insane idea that an AI might figure out how to jump an airgapped network by writing to RAM in a way that allows it to take control of a nearby computer to escape. I can't believe that was actually feasible
The mobile radio network this way may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
Not impossible but still very unlikely. To pick up the weak ratio signals the researchers used specialized hsrdware and even with this hardware maximum data transfer rate was 1000 bit/s. In order to escape an air gapped system the AI must first devise a way to generate radio signals so strong that are able to "flip" bits in a nearby computer, then it needs the time to transfer all it's neural network to the other PC.
@@lucarossi8442 The attacker does not need to write data (which will need a severely strong radar beam and would be hard without crashing the computer) but only sit and listen to pick up communication. Extracting data using TEMPEST is mainly a bigdata problem, and what else if not a mobile radio network has the size and time to produce enough example data to train an AI for this.
Finally the debate is settled: Windows is more secure than Linux thanks to its superior RAM jamming features.
Cryptography nerds: My algorithm is perfect!
Side channel attack enjoyers: But your hardware isn’t.
So this is why Linus Torvald always goes for as quiet of a system as possible.
He is always 2 steps ahead
This would make it worse, you want a noisy system that covers up the RAM's noise with excessive random noise in the same frequency as the RAM.
@@futuzabut the GPU fan can also be used to get data
@@PanDiaxik Only if you're not also randomizing its fan pattern.
Liquid cooling should do but probably this guy is gonna hack that too
A programmer I worked with in the late '60s wrote some code that would generate noise from the core that could be picked up with a transistor radio set inside the cabinet. With suitable parameters it could generate musical tones and play "Mary Had a Little Lamb" ala "2001 A Space Odyssey". Not very useful as a cyber attack but very amusing to visitors to the data center.
These attacks are useful to attackers that can get something on to the system, but not off of it. Which is a very specific circumstance, but does happen.
Always love these earlier 20's computer stories, they are always so damn stupid and funny.
Heard one once about some dudes designing a "religious anti virus" for clients that thought their pc needed to be exorcised, when in fact it just needed to stop visiting certain self pleasuring site. Which, ended up on quite literally the whole local church going to their it service.
the next fan add should be "So quiet that can't be picked"
Reminds me of the Tempest attack decades ago. Where they monitor the radiation from your crts
Also keystrokes on wired keyboards. IBM had a whole line of Tempest - proof PCs.
yeah great comparison.
AMD must be loving this given that they have ram encryption on their epic chips. Its a great demonstration of their chips security.
There are so many of these weird types of attacks! Even computers that are theoretically always offline without wifi/ethernet, still managed to get air gapped using crazy hardware techniques. It's mind-blowing how much you can exploit if you understand the low-level hardware.
Which makes it scary because of how most programming is high level these days
I recall, many years ago, hearing about collecting data from a monitor by collecting the light bouncing off the walls, all line of sight though.
or covertly listening to conversations by reading the vibrations in the glass of the rooms window.
@@jackhand4073I played that Splinter Cell game.
Reading monitors was TEMPEST and it was a real thing. You could see the other screen remotely, based on demodulating the CRTs scanning beam signal.
@@jackhand4073 This actually worked better if you could hit a target in the room with the people, like a piece of paper or something lightweight, but yes you could also just use the reflection off a window pane, although it sounded very dull and susceptible to a lot of environmental noise pickup.
@@drozcompany4132 That use of (counter) TEMPEST was real, but what he was talking was researched too, it was a sort of "image reconstruction" from reflected light. Don't think it got to "crystal clear" images though, more like "blurry blobs". But if you're trying to get intel on a place you have no hope of having LoS into, blurry blob beats nothing at all ;) And who knows, maybe NOW we have enough processing power that we could make it actually work...
Mordechai Guri is an absolute cyber fiend
The guys a friggin Bond villian ...
Thank you for this video. Saw a post on this earlier today, and I'm legitimately am amazed at the ways an attacker can get through if they want to.
I remember a reddit post that asked if a hard drive is heavier when you put data on it. And after hearing such a story... It might not be absurd anymore.
Surely that dudes research lap is NSA funded behind some shells.
I know it's just a thumbnail, but please don't stoop to the level of using "shocked faces" or other reaction faces. TH-cam is awash with channels whose thumbnails are these face shots, and many to most of them are low quality trash or inaccurate content. Your content is the complete opposite of it (i.e. high quality, well researched and informed). Don't lower your standards
Seconded. ...also this is NOT sniffing system RAM.
Paper shows IF you ALREADY have access to an air-gapped system to run your code, you could use RF noise from power draw to transmit at a bandwidth of 1KHz. This is the opposite of sniffing actual contents of RAM.
..and since all components in a system generate RF by the very nature of electrons moving thru circuits, they can use varying the speed of the system fan to accomplish the same thing - that is IF you can get the air-gapped system to execute your code, you could relatively slowly transmit data using RF noise.
Reading system RAM remotely this is NOT - far from it.
Also just cringe
@@bobhill-ol7wp based on his latest video, it seems LLL is leaning into the reaction face...I like his content, but not the cringe and headache I get from the screenshots. If this continues, I may very well unsub 😞
Back in the early days of computers, they had to be FCC certified to not emit a ton of RFI. You had shielded chassis, grounding everywhere. Look inside an IBM PS/2. Now, not so much, partly because the higher operating frequencies attenuate faster, but also they are less likely to interfere with the critical bands like FM radio or TV. This is really interesting stuff.
The thing is "not a ton" is still greater than zero. Even things designed to not emit large amounts of RFI can have transient states where they emit some. For example, motors draw enormous currents during startup.
The Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
wait until RAM Radio becomes a hobby and people compete to broadcast to higher and higher distances
The virgin Ham Radio vs. the Chad RAM Radio
35 years ago I worked as a field engineer for a company which made a 100hz-1ghz emi-tempest receiver that could pick up signals from printers, copiers, even from a crt phosphor screen (~220mhz for those keeping score) for surveillance.
he is the one! the computer whisperer!
shhh! he needs to listen first
"yes yes, his bank password is 123456789"
It's like monitoring someone's heartrate in IR from afar! I feel violated! I remember HR did that to figure out how nervous people are.
So when you have built your shielded case…. don’t let the bad guys have access to your power lines as they will get the noise (data) from there 😅
I personally like how your diagram shows a line between two monitors which do not have ram @0:18
So security agencies are responsible for the push for glass side panels, got it. :D
The Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
Van Eck Phreaking was first found in the 80’s with old CRTs.
Gosh, those days are golden, TEMPEST! It seems people have forgotten all about that
of course just soundproofing isn't enough, as your power supply also leaks stuff to the grid, so if you're on the same power circuit you can still exfil
My thoughts exactly. It would be a fun thing to try. Especially if you can sync a whole room of PCs to increase the signal going to the grid.
Like Van Eck phreaking in the 80s and system bus radio. Can also be used to aid debugging by looking for signals on the control and data bus. Back in the 80s me and my teen nerd buddies used it to listen in real time to a sorting algorithm doing its work on a Z80-based machine, which was mesmerizing. You could clearly distinguish the phases of the algorithm and know when data was moved, but not what the exact data was. Not surprised it is possible to detect the actual data.
This takes me back to the late 70's. We were using General Automation computers with core memory, and someone wrote a program that generated EMF signals that could be picked up by a nearby radio (I don't remember for sure if it was AM or FM radio, I believe AM). We were not using it to send signals, but crude music.
I've been talking about this since the 90s since I got my degree in computer science. Your house's entire electrical system can also be turned into an antenna and everything with a current flowing through it outputs an EM signature. The feds have been doing this for decades.
My friend built an antenna to snoop and made an mistake that ended up emitting an em pulse that got him a visit from the feds. Your brain has an em signature as well, which is how they are mapping dreams and literal imagination. People have no idea how their technology works much less what it's capable of. A SIMM card is a separate computer in your cellphone that has root access to everything as well.
RF noise, produced by computer, can be quite high. For example, I remember in the old times, I could literally HEAR mouse cursor movement. I.e. when line-in or mic feedback was turned on, background noise was not-so-random: if something happened on the screen, including such tiny things like mouse cursor movement, that noise was reflecting it.
My AsRock Fatality mainboard trumpets out every mouse motion or other USB activity through its sound output jack (despite I shielded my PC bigtower almost TEMPEST-grade). That's quite annoying to have that buzzing through all music on my audiophile tube amplifier.
@@cyberyogicowindler2448 external USB sound card helps to mitigate that: it would be out of the case, and have additional VRMs.
But I wonder, how much valuable info could be extracted via this side channel, since, for example for content creators, this noise get recorded for a long time and could be extracted and analyzed later just by downloading their YT videos...
@@Felinaro Beside limited audio bandwidth, TH-cam audio is data reduced (like MP3) which ruins its phase information and so is not that useful anyway. More risky was when people played the dial-up noise of their analogue modem (those were designed to be audio-transmittable), which may have revealed their internet password when someone decoded the sound signal. Of course also recorded touch tones of telephone keys can be be decoded to identify phone numbers (remember the door keypad thing in the Wargames movie).
oooooooooo so that's why my computer makes this weird high pitched noise whenever I move something around in blender
Something similar was presented in the NSA brochure about 10-20 years ago : security key extraction using computer power usage fluctuations, security key extraction using CPU heat fluctuations ...
Likely someone has already said this but isn't this just another version of tempest? I'm other words, this type of thing is old.
Yes, that was my very first thought. Tempest attacks have been around for decades (en.wikipedia.org/wiki/Tempest_(codename)), but I guess that every so often these lessons have to be learned all over again. There are plenty of people who have secrets MUCH more important than "Some clever advance in my new computer game" who work with rules like "Your computer is absolutely forbidden to be switched on within X metres (a long way) of the perimeter fence"
@@RichardSimpson-u4c did this wiki used to have info ? I see these links but they often also don’t yield results
Pump up the jam on your ram, while your feet are stompin'
Damn, I'm gonna play that now
Wait, someone re-discovered the EM signals from the machine? That was first used in the '80s to read CRTs... there's nothing new in the world.
How do they do it back in CRT era? just curious
@@truckerallikatuk Good point. I'm surprised about the RAM thing because I didn't know the RAM chips were capable of emitting intelligible radio signals at even "across the room" distances.
TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions[1]) is a U.S. National Security Agency specification and a NATO certification
@@peterirvin7121 That's why they have to pump it multiple times per bit flip so they can be sure that's what it is and not just more random noise.
I'd hardly say it's novel - it's been known for a long while. Back in the 80s, I used to use my Sinclair ZX Spectrum as a crude radio transmitter (it was so RF leaky it wiped out the entire AM band). It was quite easy to modulate the interference it gave out, you could even play really bad music on a nearby radio. Modern computers are better shielded, but you'll always get some RF leakage. Anything you can modulate whether it be the noise of a GPU fan, or RFI from the memory bus etc. can be used to transmit data (perhaps very slowly in some cases).
Back in the 80s the military were very worried about this stuff, the whole TEMPEST standard was created to attempt to stop secret data getting expropriated by RFI, either accidentally or deliberately.
Obviously. This guy has been doing this type of research for years. Doing it with RAM is what's novel. Every time someone says, "Oh but we can deal with that one," he comes out with another one. RF, Fan noise, LED blinking.
The impressive thing isn't just thinking about it, but actually doing it. Which he did!
This is some next level James Bond tech. This technique might even work on smart phones too. 😵💫😵💫
kinda hard to airgap a smart phone in the first place
An just like James Bond tech it is unrealistic.
@@AlexandreLefaure it's unlikely for it to be very usefull but I don't see what you mean by unrealistic when it has been done.
@@kaischreurs2488 Nope, its the mobile radio network itself that may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
"so there you go, just jam your ram, and then ram your jam, that's all you gotta do" 😂 solid advice
This is an interesting thought experiment but in highly sensitive applications, it would be quite easy to implement shielding and defeat this. But I'd imagine the only people with this threat profile would be governments
How could somebody inject that malware to pc that is not connected to internet and have no physical access? If attacker get access to pc to be able inject malware he can stole desired information, range of ram noise is only few meters, so information didn't penetrate thru the wall anyway.
I noticed, that over the years, computer cases (chassis) have become more hole-y than ever. Once upon a time, cases were pretty effective faraday cages. Once upon a time, cables were shielded. Amazing!
Faraday cages for desktops just might be the next big thing. Better get on this, entrepreneurs.
Holland Shielding BV has been on it for years already.
Wrap the computer in aluminum foil. Or just don’t let anyone who doesn’t have business with the computer near the hardware…
Just take a good case
Mankind will eventually need hobbyist casemodding contests for TEMPEST hardening. A decade ago there were crypto partys (teaching data protection, not shitcoin scam currencies), now it's time to teach hardware stealthing. In early 1980th the Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio. Not least its mobile radio networks those may systematically scan all digital things through AI to spy e.g. offline computers (one reason why Huawai got banned in USA).
I interviewed for work with a US government contractor involved with communications. In 1982 they could read the text on a computer monitor across the street from the RF emitted from the monitor. Spy stuff has been around a long time.
1:14 Shots fired
Btw, this is the reason that the whole NSA building is a gigantic faraday cage. The same with the CIA base in Langley. Anti-TEMPEST hardware was supposed to be certified by the NSA.
This is so absurdly niche and impractical. You're able to get the malware on the computer somehow which implies you have had access to it but you can't just download things to a USB but you can place another device within 5 feet of the original device to listen for ram noise with a highly suspicious radio listening device attached to it and you're able to retrieve the information from the suspicious device either wirelessly or through physical proximity.
I can imagine Ocean 11 style scenarios where this is actually useful if the noise can get through a wall and maybe and you're able to talk someone into a plugging a USB they got from a stranger into their computer to infect it.
What would be infinitely more useful is if you did not need to infect the computer at all and you could detect the ram noise without intentional manipulation of reading/writing but I guess that would require a radio receiver the size of a mini van and even then it wouldn't work because there would be too much background noise. All of that being said, if you could find a way, it would instantly compromise the security of every computer in a way that cannot be stopped.
Mordecai Guri is based out of Isreal and produces these PoCs with a team of engineers from many disciplines at his college. These were always meant to be integrated into an APT workflow. If you didn't know already. Israel is the tip of the spear when it comes to niche cybersecurity tactics
Mordecai Guri is based out of Isreal and produces these PoCs with a team of engineers from many disciplines at his college. These were always meant to be integrated into an APT workflow. If you didn't know already. Israel is the tip of the spear when it comes to niche cybersecurity tactics
Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch what Congaflock is (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information).
i love that he named the one about the motherboard buzzer "El Grillo" you can tell it's a passion project when he gives everything funny names
Joke's on him! I play DUBSTEP on my machine to make MOAR noise :DD
I mean, he literally did put "make more noise" as an optional countermeasure in the paper...
I remember an old 233 mhz pc I had on a old solid wooden desk. When I loaded a particular game, the desk resonated with the drive that just made it a nice soothing rhythm, unique to any othe software I ever used.
If these ram sticks could talk… oh no
At MIT in 1967 we had the PDP 1, the first time-sharing computer. One of our nerds wired up a ram bit to make music.
We're reaching the point of building an anechoic chamber for work makes sense.
More like a facility in the middle of nowhere that doesn't allow unauthorized personnel to even get close to. Like Area 51. Also secret alien tech. :D
Ram your jam makes me immediately think of the memes about peanut butter with hole in the middle
Electricians have been using EM circuit testers for decades to find live wires in walls. Things like this are why it's good to look the world to find alternative methods of hacking. Everything is a side channel
There’s another attack using a similar method called a tempest attack which uses EMFs emitted from non-shielded HDMI cables to capture what’s being displayed on a monitor.
I thought we have known about this for decades?
The Tempest system in the 90's capable to read the infos displayed on a crt monitor 200m away was already impressing. That ram reading is nuts.
Even TempleOS is vulnerable!
Finally, I can get rid of my router and just network all my rams together!
I can't take this anymore. Modern computing is so broken. We need a complete reset.
Everything old is new again. In the 1970's there were programming challenges to play tunes over AM radios by writing specific memory patterns.
So...
1: You cannot access the system from any network.
2. You don't have psychical access, hence why you would need this hack in the first place.
3. But somehow you need to get some malware on it for this hack to work?
I do not feel utterly nervous. It is pretty cool though, I will give him that.
The issues with air-gapped networks are two-fold. Getting in and Getting out. There are other viable methods of Getting In already out their, but without a way to exfiltrate data back out of those systems, the best you can do is cause damage (think randomly crashing the centrifuges Iran used to refine nuclear fuel). The types of vulnerabilities this individual specializes in is that exfiltration piece. So with these you can get in, grab a bunch of data that looks interesting, and get that data back out of the system without a traditional exfiltration strategy which usually involves gaining physical access through a separate operation from the one that was used to infect the system to begin with.
Stuxnet got into air gapped systems, so thats alread, happened, the attack vector is more viable than you think
@@jenaf4208 Stuxnet attacked the PLC by physically inserting a malicious slave node for a motor drive into the system. Motor drives do fail and need attending to by the maintenance crew, which they need to have physical spares to swap out. Furthermore, a PLC system for a large plant is spread out over a build - there are plenty of opportunities for a bad actor to do something naughty. It's very different to a PC that's actually air gapped and contained within an office cubical.
Until recently, PLC systems didn't have any security on their networks - they're all open, which means they can be sniffed at with WireShark and played with really easily. And a lot of modern PLC systems remain open by default; it's at the programmers discretion as to whether the system gets locked down. In modern systems, programmers can lock out new physical items if they don't have the correct serial numbers.
This is how you do it:
You are CCP, you find out about the Australia government secret project to research and develop working warp drives. Unfortunately all the data you want to steal about how to make one is on an air gapped system, in an impenetrable fortress of security. Fortunately you find out that the Aus Gov always buys their motherboards from a supplier in Taiwan that you have infiltrated with CCP agents. You have your agents modify the next motherboard design so that it will include malware on the MB Bios that allows it to not only keylog but also write directly to RAM to get it to sing to the universe. They buy these and you now have malware on their machines collecting the secrets for you and start broadcasting on the RAM. You get your CCP agent to start working at a pizza place down the street from the Warp Drive Research Office, eventually someone orders a pizza and she delivers it with a radio detector hidden in her pizza bag, she gets up close to the gate to drop off the pizza and starts detecting the RAM broadcasting the secrets. She flirts with the gate guard long enough to download the secret design PDFs. She then sends the CCP the data and they beat the Australians to developing the first warp drive as a result and China dominates the interstellar industry.
@@trapfethen Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch Congaflock (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information).
We're at the point now that even the shielding needs shielding to stop the shielding from leaking all the things.
Mankind will eventually need hobbyist casemodding contests for TEMPEST hardening. A decade ago there were crypto partys (teaching data protection, not shitcoin scam currencies), now it's time to teach hardware stealthing. In early 1980th the Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
This is kinda like someone had an unlimited budget and resources, ignored ethics and genetically engineered a horse with wings and a horn on its head and called it a unicorn.
Is it possible? Yea maybe... Is it going to happen and be useful? Fuck no.
Unlimited budget, oh no, government grant I bet. We paid for it.
This known as a Side Channel Attack. The concept of 'listening' to data in chips or wiring via electromagnetic radiation or physical vibration is a years old topic.
"Jam your ram, and then ram your jam"
That reminds me of an article back in thr day of how someone figured out how to capture the RF signal of CRT monitors and surreptitiously view them. Thankfully this was at the same time CRTs were being phased out so I expect it never really became a thing.
Until you replicate it for us I call BS on this. There is no way he is discerning signal from noise or injecting it over any distance. GPU fan, that is just silly. Like the free energy videos often originating from that same region of the planet.
“Working on an mmo and you refuse to let anyone to know how little work you’ve done so far” this is too real lol
Ram your Jam & Jam your Ram
His research has also definitely paid off in the clever use of acronyms.
FYI, "Mordechai" is pronounced with a 'k', not a "ch". It's a Hebrew name.
It seems they were only able to read the data because on the target machine they were writing it in a specific way. I don't see how this could be used to read data from any computer you don't have control over.
perhaps with an ai.....that been fed large amounts of training data specifically on this topic....
yeah, now that ive watched the whole video, "screaming" bits for the radio to hear is rather specific
@@xerr0n the novelty is being able to use it as a data exfiltration system. in a setting that a hacker can get access to a closed system, normally they can't get information out of the system. this would give someone the ability to get information and then convert it to a "screaming bits" formatting for an external monitor to pick up, therefore breaking the closed system.
@@davidfrischknecht8261 I had the same thought at first, but requiring them to get their code onto the computer isn’t actually unfair when you consider that supply chain attacks from software the user willingly includes are a common method of attack even when not air gapped. In the normal case the hidden malicious code calls back out to a command and control server and gives the attacker remote access of some kind. In the air gapped case it can start writing to ram in this pattern. To summarize, this isn’t meant as a way of peering into what a computer is doing in general, it’s a communication method for malicious code that has already gotten there somehow and finds itself in an air gapped environment
@@xerr0n This way mobile radio networks may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
This is reminding me a lot of a method these researchers discovered to extract audio data from a photograph. Like an emulsion film photograph. The lenses in the camera are extremely sensitive to vibrations and have a physical stabilizer to keep sound waves from making the picture blurry. That movement of the lense can somehow be detected in the picture itself and audio can be made from it. So you can literally hear what people were talking about when they took the picture. Somehow this works for digital cameras too. I can't remember the exact details but it seems like something similar going on here.
When I move my mouse at just the right angle, I can hear the electronics inside make noise. It's an extremely high pitch that hurts my ears. Electronic hum is a real thing and varies in pitch and volume, so I'm not surprised someone can read RAM based on the audible sounds that a computer makes as it stores and retrieves memory. What you don't realize is that the reverse can be true as well. You can use a speaker, for instance, to produce electricity. It's far less efficient at doing so than a microphone, but it works. I suspect all air-gapped systems are technically susceptible to the reverse of these attacks: Actively injecting data into a target system through the air.
The thing is the hardware would not be listening for data. If you're saying to manipulate electrical signals with RF I think it might be better to use electromagnetic signals if anyone wants to try to make an actual research on this.
Similar to CRT TVs. They admit a high-pitch noise
My AsRock Fatality mainboard trumpets out every mouse motion or other USB activity through its sound output jack (despite I shielded my PC bigtower almost TEMPEST-grade). That's quite annoying to have that buzzing through all music on my audiophile tube amplifier.
Around 1980 I repaired Selectric typewriters for IBM. Our office received several new machines destined for a defense contractor for shipment to US embassies. We had to install a large capacitor and a motor with a heavy flywheel in each machine because the Russians could read what was typed by monitoring voltage fluctuations on the power line.
Would a cyberdeck inside a hard aluminum bag without an internet connection still be attacked?
That researcher is absolutely genius. I mean, sure, this is done on consumer hardware and with a previously infected computer, but the techniques used/invented and the sheer ideas that this could be done are totally mindblowing. On a side note, is there a reason you don't use an adblocker? In all your vids I've seen, there are those BS ads popping up on your screen. C'mon, use a blocker of your choice already! :D
jesus h christ
Back in the day my brother and I used to put a radio next to our TRS-80 when playing Star Trek to get snazzy computer sounds.
It had an extra benefit that the sounds it made could warn you if enemies we're going to attack.
So yeah....
I wanna see him do that on properly shielded and grounded RAM modules/PC cases.
At some point blackmailing the person they're hacking gotta be easier
RGB RAM bros punching the air rn knowing that if someone can HEAR their RAM then they could definitely see the lights and that can be used as a communication technique to transmit data.
Now we just need to figure out how to send data back to the computer via the ram, and we won't need wifi cards anymore! 😂
I once wrote a program that loaded the cpu in a specific way, modulating its power consumption. Another program could measure the local cpu throughput which modulates when hitting power limitations. I could transfer data between separate VMs running on the same threadripper system in the low 100 bytes/s range using common modulation techniques found in radio communications. If I knew that such things would be relevant... 😀.
Basically, this is why we have EMC (ElectroMagnetic Compatibility) and similar standards and why most computer cases these are junk because they allow EMR (ElectroMagetic Radiation) to radiate. Industrial and genuine business servers and desktops are designed to EMC standards that minimise EMR. All this makes any attack like this practically impossible. Otherwise, if you build your own systems, choose a proper case designed with appropriate shielding as standard.
All-metal laboratory PC cases are designed to block most RFI. But mankind will eventually need hobbyist casemodding contests for TEMPEST hardening. A decade ago there were crypto partys (teaching data protection, not shitcoin scam currencies), now it's time to teach hardware stealthing. Not least its mobile radio networks those may systematically scan all digital things through AI to spy e.g. offline computers (one reason why Huawai got banned in USA).
Thia has been know aince the beginning. One of the first home built computer demos was to play music through an AM radio placed near the computer.