Cybersecurity
Updated 22 days ago | GitHub

DMA Attack

A DMA Attack, short for “direct memory access” attack, is when an attacker accesses a computer via ports on the computer which grant direct memory access to high-data-transfer-speed devices.

Normally, memory access is strictly managed by the operating system. Certain devices, such as external hard drives and camcorders, use technology which allows very fast data transfer speeds. The most common examples are Firewire, Thunderbolt, ExpressCard, and PCI. In order to achieve these very high data rates, the device communicates directly with the computer memory, bypassing the operating system’s memory management and bypassing all access controls.

Simply plugging in an infected device can allow an attacker to read and manipulate the current contents of the computer memory. They can steal private encryption keys, run commands with escalated privileges, install malware, or add a backdoor to be used later.

DMA Hacking Tools

Reading and writing to server memory is highly technical and not a skill which everyone possesses. However, there are tools which attackers can use which will launch a DMA Attack and handle the technical details of memory access for them.

Inception allows anyone to perform a wide-range of memory hacks against live computers. Inception is no longer under active development — its README now directs users to PCILeech, which is the actively-maintained PCIe DMA attack toolkit today.

FinFisher (whose flagship spyware product was sold as FinSpy) used DMA attacks as one form of delivery. The company that owned the software became controversial because of its work helping repressive regimes spy on their citizens. After a criminal complaint over illegal surveillance-software exports and the seizure of company accounts by Munich prosecutors, FinFisher GmbH filed for insolvency and ceased operations in 2022.

DMA Attack Preventions

All DMA attacks are dependent on the attacker having physical access to the computer, so tightly regulating access to server hardware is the best prevention. In addition, it is necessary to educate users on social engineering techniques. An attacker could use “baiting” to trick a user into accepting an infected Firewire hard drive as a prize from a bogus contest.

All DMA attacks are dependent on using the computer port which allows high speed access. Physically removing these ports from the computer will prevent external devices from being connected. In addition, the drivers for these device types should be disabled or removed. This provides protection should another port type (such as PCMCIA) be used as an adapter for a high-speed port.

Lastly, many newer operating systems include DMA protections. Research them to make secure choices and upgrade.