Researchers have uncovered vulnerabilities in air-gapped networks, revealing that despite being physically isolated, these systems can still be compromised through covert channels such as electromagnetic emissions. The attack strategy involves malware that manipulates RAM to generate radio signals, which can be encoded with sensitive information and exfiltrated over a distance. The study details the creation and testing of a transmitter and receiver that can transmit and receive these signals, demonstrating the attack's feasibility and underscoring the need for stronger defenses against such threats.
The research introduces a novel covert channel based on electromagnetic emissions from the RAM bus. The transmitter modulates memory access patterns to encode data, which is subsequently demodulated by the receiver. By employing Manchester encoding, the system ensures clock synchronization and error detection, enhancing the data transmission speed but also increasing bandwidth requirements. The transmitter uses the MOVNTI instruction to sustain RAM bus activity and incorporates a preamble sequence for synchronization. Data framing by the receiver is achieved through an alternating bit sequence. A comparison with OOK modulation showed that Manchester encoding is better suited for this covert channel due to its superior synchronization and error detection capabilities.
The evaluation of the RAMBO covert channel highlights its effectiveness in exfiltrating data via electromagnetic emissions from DDR RAM. Tests across various distances and bit rates showed that the channel maintained a strong signal-to-noise ratio and low bit error rates, although lower SNR levels limited high-speed data transfers. While Faraday shielding and virtualization emerged as effective countermeasures, their widespread deployment remains limited. Additionally, the DDR RAM clock frequency influences the covert channel’s frequency range and is subject to changes from spread spectrum clocking. Overall, the RAMBO covert channel poses a significant security risk, necessitating careful assessment and implementation of protective measures.
To mitigate the RAMBO attack, several countermeasures can be adopted. These include physical separation through zone restrictions and Faraday enclosures to prevent information leakage, and the use of host-based intrusion detection systems and hypervisor-level monitoring to detect suspicious memory access patterns. External spectrum analyzers and radio jammers can identify and disrupt covert radio transmissions, while internal memory jamming can interfere with the covert channel, albeit with potential impacts on legitimate operations. Effective defense against the RAMBO attack typically requires a combination of these strategies.
The study demonstrated a groundbreaking air gap covert channel attack that leverages memory operations in isolated computers to exfiltrate sensitive data. By manipulating memory-related instructions, attackers can encode and modulate information onto electromagnetic waves emitted from memory buses. A nearby receiver, equipped with a software-defined radio, can then intercept, demodulate, and decode the transmitted data. This enables attackers to leak various types of information, including keystrokes, files, images, and biometric data, at rates of hundreds of bits per second.