Investigators examine the susceptibility of air-gapped networks to nasty attacks. Despite their physical isolation, these networks can be compromised through secret channels, such as electromagnetic emissions.
The attack model involves malware manipulating RAM to render radio signals that can be encoded with susceptible data and exfiltrated from a distance. It presents the design and implementation of a transmitter and receiver competent for sending and receiving these signals. Experimental consequences indicate the feasibility of the attack, highlighting the demand for strong countermeasures to protect air-gapped networks from such hazards.
The study offers an unexplored secret channel based on electromagnetic emissions from the RAM bus. The transmitter modulates remembering access patterns to encode data, which is then demodulated by the receiver. Using Manchester encoding for faster transmission ensures clock synchronization and error detection, which improves bandwidth needs.
The transmitter utilizes the MOVNTI instruction to maintain RAM bus activity and uses a preamble sequence for synchronization. The demodulator frames the received data based on an alternating bit series. A comparison between Manchester encoding and OOK modulation concluded that Manchester encoding is more appropriate for this covert channel due to its synchronization and blunder detection uses.
The evaluation of the RAMBO covert channel indicates its significance in exfiltrating data through electromagnetic emissions from DDR RAM. Despite variable distances and bit rates, the channel maintained a high signal-to-noise ratio and low bit error paces. Low SNR levels limited high-speed communications. Faraday shielding and virtualization were revealed to be adequate countermeasures, but they are not widely deployable.
The DDR RAM clock frequency affects the covert channel’s frequency range and can be influenced by the spread range clock. Overall, the RAMBO covert channel poses a substantial safety threat and needs a careful review of countermeasures.
Several countermeasures can be used to mitigate the RAMBO attack. Physical separation operating zone rules and Faraday enclosures can control data leakage. Host-based intrusion detection systems and hypervisor-level monitoring can catch suspect memory access patterns. Superficial spectrum analyzers and radio jammers can recognize and disrupt covert radio communications.
Internal memory jamming can interrupt the hidden channel and may also impact legitimate operations. While these countermeasures offer variable levels of security, a variety of methods are often required to virtually protect against the RAMBO attack. The report showed an unknown air gap covert channel attack that manipulates memory operations in remote computers to exfiltrate susceptible information. By working memory-related instructions, detractors can encode and modulate data on electromagnetic waves emitted from the memory buses.
A nearby receiver provided with a software-defined radio can then intercept, demodulate, and decode the transferred data, which allows assaulters to circulate various types of data, including keystrokes, files, photos, and biometric data, at a rate of hundreds of bits per second.