Thu, Apr 6, 2023
You have probably wondered what would happen if your company laptop got lost or stolen. Would someone be able to extract sensitive data from your laptop even if the device is encrypted or locked?
There are several ways to compromise a laptop with physical access, and one of them is through a direct memory access (DMA) attack.
A DMA attack is a type of cyberattack that allows an attacker to gain direct access to a computer’s memory. DMA attacks take advantage of a feature of modern computers that allow certain devices, such as external hard drives, graphics cards or network cards, to access the computer’s memory directly, without the participation of the processor. This can be useful for improving performance, but it also creates a potential security vulnerability.
One of the main ways that DMA attacks are carried out is through the use of hardware devices, such as Field Programmable Gate Arrays (FPGAs). These devices can be programmed to act as a “man-in-the-middle,” allowing the attacker to intercept and alter data as it is transferred between the device and the computer. These attacks are particularly dangerous because they bypass the usual security measures that are in place to protect a system’s data, such as password protection or encryption.
A successful DMA attack can allow criminals to conduct a wide range of malicious activities, including removing password requirements, extracting encryption keys, escalating privileges, installing backdoors into the system and stealing data.
DMA attacks can be performed through a variety of different types of connections such as Thunderbolt, USB 4.0, ExpressCard, PC Card or any other PCI/PCIe hardware interfaces. PCILeech is one example of a tool that can be used to carry out these attacks via an available PCIe slot.
During our engagements, we have seen that some of the DMA attack vectors are still valid, in particular when the threat actor has the possibility to open the case of the computer. Despite the fact that device manufacturers and operating systems’ leaders are shipping laptops with enhanced security and hardening, many organizations still do not have adequate security measures in place to protect their company laptops from physical attacks or rely on hardware that does not support all the security features of recent versions of operating systems like Windows 11.
While these attacks are relatively rare in real-world scenarios, they remain practicable.
By the end of 2021, Microsoft Mechanics shared a video where they showed how a locked computer with biometric authentication can be unlocked in a few minutes by performing a DMA attack over Thunderbolt.
During last year’s Black Hat USA, security researchers from Ledger discovered and presented various vulnerabilities in some Intel Wi-Fi chips, one of them allowed them to achieve code execution on a system by leveraging the DMA capability of wireless cards. Once reported, these types of vulnerabilities are usually quickly addressed by hardware vendors, and patches are released before details are made public. However, it is common that end-users don’t regularly update hardware components and drivers; thus, they remain vulnerable for long periods.
To defend against DMA attacks, there are several measures and security features at the hardware, firmware and system level that organizations should configure and use.
By taking all these precautions, you can help protect your company’s data and systems from DMA attacks and other cyber threats. It’s important to note that no single security solution can provide complete protection against DMA attacks. It’s generally recommended to use a combination of security measures to defend against these types of threats. It’s also important to keep in mind that DMA attacks are just one type of physical attack that organizations need to be aware of, and it’s important to have a comprehensive security plan in place to defend against a wide range of threats.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?