A DMA (Direct Memory Access) attack is an attack in which cybercriminals are able to load data directly into a device’s memory and read it from there through high-speed ports.
Typically, access to device memory is controlled by the operating system. For security reasons, the operating system prevents non-system applications from accessing certain memory locations. However, some components (such as sound and network cards) and devices (such as external hard drives) are able to access memory directly to speed up data transfer. This involves the use of a special interface such as Firewire, Thunderbolt, ExpressCard, PCI, or PCI Express. The main purpose of such a special interface is to enable rapid transfers of large amounts of data without burdening the CPU. In doing so, they bypass OS security restrictions, which DMA attacks exploit.
DMA attack types
Most DMA attack methods require physical access to the target device. They are divided into two subgroups:
- Closed-chassis attacks are carried out by connecting to the target device through an available port.
- Open-chassis attacks are carried out by opening the external case of the target device to gain access to the internal hardware.
To overcome the obstacles associated with physical access, cybercriminals can use social engineering to persuade someone with access to the target system to connect a malicious device to it.
DMA attack tools
To manipulate the memory of the target device, attackers can use off-the-shelf tools such as:
- Inception – a tool for gaining direct memory access through the PCI bus and high-speed interfaces built upon it.
- FinFisher – commercial spyware that includes a tool for gaining direct memory access through the Firewire port.
Countering DMA attacks
While the potential danger of DMA attacks is high, there are ways to minimize their chances of succeeding:
- Restrict physical access to devices. Keeping unattended devices out of public areas, and critically important ones in locked premises with strictly regulated access minimizes the risk of someone gaining unauthorized access to them.
- Physically remove high-speed ports, or disable their drivers. These measures make it impossible to connect a malicious device through the target port.
- Deploy technologies that protect against DMA attacks. Leading hardware manufacturers are taking steps to provide protection against intrusions – including DMA attacks. In particular, many AMD and Intel chipsets now feature an input/output memory management unit (IOMMU), which provides additional security for physical memory.