RAMBO Attack Steals Data From Air-gapped Systems

Researchers explore the vulnerability of air-gapped networks to malicious attacks. Despite their physical isolation, these networks can be compromised through covert channels, such as electromagnetic emissions. 

The attack model involves malware manipulating RAM to generate radio signals that can be encoded with sensitive information and exfiltrated from a distance. It presents the design and implementation of a transmitter and receiver capable of transmitting and receiving these signals. 

Experimental results demonstrate the feasibility of the attack, highlighting the need for robust countermeasures to protect air-gapped networks from such threats.

The study presents a novel covert channel based on electromagnetic emissions from the RAM bus. The transmitter modulates memory access patterns to encode data, which is then demodulated by the receiver. 

Utilizing Manchester encoding for faster transmission ensures clock synchronization and error detection, which increases bandwidth requirements. 

The transmitter employs the MOVNTI instruction to maintain RAM bus activity and uses a preamble sequence for synchronization. The demodulator frames the received data based on an alternating bit sequence. 

A comparison between Manchester encoding and OOK modulation concluded that Manchester encoding is more suitable for this covert channel due to its synchronization and error detection benefits.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

The evaluation of the RAMBO covert channel demonstrates its effectiveness in exfiltrating data through electromagnetic emissions from DDR RAM. Despite varying distances and bit rates, the channel maintained a high signal-to-noise ratio and low bit error rates. 

Low SNR levels limited high-speed transmissions. Faraday shielding and virtualization were shown to be effective countermeasures, but they are not widely deployable. 

The DDR RAM clock frequency influences the covert channel’s frequency range and can be affected by spread spectrum clocking. Overall, the RAMBO covert channel presents a significant security risk, requiring careful consideration of countermeasures.

Several countermeasures can be employed to mitigate the RAMBO attack. Physical separation using zone restrictions and Faraday enclosures can prevent information leakage. 

Host-based intrusion detection systems and hypervisor-level monitoring can detect suspicious memory access patterns. External spectrum analyzers and radio jammers can identify and disrupt covert radio transmissions. 

Internal memory jamming can interfere with the covert channel and may also impact legitimate operations. While these countermeasures offer varying levels of protection, a combination of approaches is often necessary to effectively defend against the RAMBO attack.

The paper demonstrated a novel air gap covert channel attack that exploits memory operations in isolated computers to exfiltrate sensitive data. By manipulating memory-related instructions, attackers can encode and modulate information on electromagnetic waves emitted from the memory buses. 

A nearby receiver equipped with a software-defined radio can then intercept, demodulate, and decode the transmitted data, which enables attackers to leak various types of information, including keystrokes, files, images, and biometric data, at a rate of hundreds of bits per second.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!