Thu, Apr 6, 2023

What Is a DMA Attack? Understanding and Mitigating the Threat

You have probably wondered what would happen if your company laptop got lost or stolen. Would someone be able to extract sensitive data from your laptop even if the device is encrypted or locked?

There are several ways to compromise a laptop with physical access, and one of them is through a direct memory access (DMA) attack.

A DMA attack is a type of cyberattack that allows an attacker to gain direct access to a computer’s memory. DMA attacks take advantage of a feature of modern computers that allow certain devices, such as external hard drives, graphics cards or network cards, to access the computer’s memory directly, without the participation of the processor. This can be useful for improving performance, but it also creates a potential security vulnerability.

How a DMA Attack Works

One of the main ways that DMA attacks are carried out is through the use of hardware devices, such as Field Programmable Gate Arrays (FPGAs). These devices can be programmed to act as a “man-in-the-middle,” allowing the attacker to intercept and alter data as it is transferred between the device and the computer. These attacks are particularly dangerous because they bypass the usual security measures that are in place to protect a system’s data, such as password protection or encryption.

A successful DMA attack can allow criminals to conduct a wide range of malicious activities, including removing password requirements, extracting encryption keys, escalating privileges, installing backdoors into the system and stealing data.

DMA attacks can be performed through a variety of different types of connections such as Thunderbolt, USB 4.0, ExpressCard, PC Card or any other PCI/PCIe hardware interfaces. PCILeech is one example of a tool that can be used to carry out these attacks via an available PCIe slot.

During our engagements, we have seen that some of the DMA attack vectors are still valid, in particular when the threat actor has the possibility to open the case of the computer. Despite the fact that device manufacturers and operating systems’ leaders are shipping laptops with enhanced security and hardening, many organizations still do not have adequate security measures in place to protect their company laptops from physical attacks or rely on hardware that does not support all the security features of recent versions of operating systems like Windows 11.

Recent Examples of DMA Attacks

While these attacks are relatively rare in real-world scenarios, they remain practicable.

By the end of 2021, Microsoft Mechanics shared a video where they showed how a locked computer with biometric authentication can be unlocked in a few minutes by performing a DMA attack over Thunderbolt.

During last year’s Black Hat USA, security researchers from Ledger discovered and presented various vulnerabilities in some Intel Wi-Fi chips, one of them allowed them to achieve code execution on a system by leveraging the DMA capability of wireless cards. Once reported, these types of vulnerabilities are usually quickly addressed by hardware vendors, and patches are released before details are made public. However, it is common that end-users don’t regularly update hardware components and drivers; thus, they remain vulnerable for long periods.

DMA Attack Mitigations

To defend against DMA attacks, there are several measures and security features at the hardware, firmware and system level that organizations should configure and use.

  • Use physical security measures, such as locks and access controls, to prevent unauthorized access to your computers.
  • Consider using Hibernate instead of Sleep mode when you know that you will not use your laptop for an extended period. Hibernate mode can help protect against DMA attacks to some extent, as it clears the computer’s RAM memory. It is important to note that hibernate mode is not a foolproof security measure against DMA attacks, as some DMA attacks can still target the hard disk itself, where the saved state is stored.
  • Keep running the latest Unified Extensible Firmware Interface (UEFI) firmware versions. UEFI should be used instead of BIOS (legacy), with the following security features enabled:
  • Enable the Input/Output Memory Management Unit (IOMMU) in the UEFI to restrict DMA through communications ports like Thunderbolt, PCI and PCIe. The IOMMU provides protection against malicious devices trying to access memory locations that they are not authorized to access.
  • Enable Secure Boot and Trusted Boot. Secure Boot is a UEFI feature which is designed to block execution of non-verified OS code during the boot process. Trusted Boot takes over where Secure Boot ends and is typically implemented in a system's firmware and is designed to be more resilient than software-based security measures, such as Secure Boot. This makes it more difficult for attackers to bypass or disable the feature.
  • Make sure you set up a UEFI password to prevent changes to it. Although there are several ways to clear a Bios password lock, protecting it would add an extra step that threat actors would have to bypass to make their attacks successful.
  • Make sure that Microsoft Virtualization-Based Security (VBS) features are activated and enable Device Guard. Device Guard is a security feature that helps prevent the execution of malicious software on a device. It does this by only allowing trusted apps to run, based on predetermined criteria such as the app’s publisher or the location where the app was downloaded from. Also consider enabling Credential Guard to protect against other attacks attempting to steal credentials from a live system.
  • Enable Kernel DMA Protection (KDP) that provides IOMMU protection for computers. KDP works by restricting the use of DMA to authorized devices. It does this by enforcing a set of policies that determine which devices are allowed to use DMA and which are not. Devices that are not on the list of authorized devices are blocked from using DMA.
  • Consider the use of a pre-boot authentication solution utilizing for example a Trusted Platform Module (TPM) combined with a second factor (biometric authentication, certificate or password). This will significantly reduce the chances of a successful DMA attack.
  • Error-correcting code (ECC) memory can help to protect a system from some types of DMA attacks by detecting and correcting errors that may be introduced into the system’s memory by a rogue DMA device, as it can potentially detect when data has been modified. If your company laptops support ECC, it can provide an extra layer of protection and complement existing safeguards.
  • Keep your operating system updated, preferably with the latest version of Windows as many of the protections mentioned above, are on by default. It is also advisable to keep your drivers updated, which will ensure that the security protocols are also updated and will prevent hardware security issues.
  • Lastly, consider using security software to detect and block suspicious DMA activity. EDR deployment can provide security teams with the visibility they need to defend their endpoints.

By taking all these precautions, you can help protect your company’s data and systems from DMA attacks and other cyber threats. It’s important to note that no single security solution can provide complete protection against DMA attacks. It’s generally recommended to use a combination of security measures to defend against these types of threats. It’s also important to keep in mind that DMA attacks are just one type of physical attack that organizations need to be aware of, and it’s important to have a comprehensive security plan in place to defend against a wide range of threats.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?