Codepath

DMA Attack

A DMA Attack, short for "direct memory access" attack, is when an attacker accesses a computer via ports on the computer which grant direct memory access to high-data-transfer-speed devices.

Normally, memory access is strictly managed by the operating system. Certain devices, such as external hard drives and camcorders, use technology which allows very fast data transfer speeds. The most common examples are Firewire, Thunderbolt, ExpressCard, and PCI. In order to achieve these very high data rates, the device communicates directly with the computer memory, bypassing the operating system's memory management and bypassing all access controls.

Simply plugging in an infected device can allow an attacker to read and manipulate the current contents of the computer memory. They can steal private encryption keys, run commands with escalated privileges, install malware, or add a backdoor to be used later.


DMA Hacking Tools

Reading and writing to server memory is highly technical and not a skill which everyone possesses. However, there are tools which attackers can use which will launch a DMA Attack and handle the technical details of memory access for them.

Inception allows anyone to perform a wide-range of memory hacks against live computers.

FinFisher is spyware which uses DMA attacks as one form of delivery. The company who owns the software has become controversial because of their work helping repressive regimes spy on their citizens.


DMA Attack Preventions

All DMA attacks are dependent on the attacker having physical access to the computer, so tightly regulating access to server hardware is the best prevention. In addition, it is necessary to educate users on social engineering techniques. An attacker could use "baiting" to trick a user into accepting an infected Firewire hard drive as a prize from a bogus contest.

All DMA attacks are dependent on using the computer port which allows high speed access. Physically removing these ports from the computer will prevent external devices from being connected. In addition, the drivers for these device types should be disabled or removed. This provides protection should another port type (such as PCMCIA) be used as an adapter for a high-speed port.

Lastly, many newer operating systems include DMA protections. Research them to make secure choices and upgrade.

Fork me on GitHub