Stop sneaky hackers from launching DMA attacks

Traveling to cyber spying hotbeds? Then beware of hackers compromising your system via DMA attacks

Direct Memory Access (DMA) is a controller feature that has been available at least since the original IBM PC. It can be used by hackers to compromise your otherwise very heavily protected computer. Fortunately, there are steps you can take to minimize DMA-based attacks.

Although DMA attacks have been possible for decades, they gained notoriety in 2009 when researchers discovered DMA could be used to compromise Microsoft's BitLocker Drive Encryption technology, according to a Princeton University paper. The white-hat researchers were able to recover the private keys in several popular encryption systems, including BitLocker, FileVault, dm-crypt, and TrueCrypt, using off-the-shelf components.

[ Also on InfoWorld: When in China, don't leave your laptop alone. | Reconsider security: Two former CIOs show you how to rethink your security strategy for today's world. Also available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

While DMA attacks are relatively rare, they are easy to accomplish -- and can be prevented.

How DMA works
First, a little primer is in order. Computers with DMA controllers allow DMA-aware devices, operating systems, and programs to transfer data from the participating device directly into memory, bypassing the overworked CPU for the majority of the transfer. In a nutshell, DMA significantly increases the performance of your computer and its devices. DMA-aware devices include hard drive controller cards, video graphic cards, sound boards, network interface cards, and essentially any peripheral that has the need for speed.

In Windows, you can confirm the presence of a DMA controller by opening up Device Manager and looking for the Direct Memory Access Controller under System Devices. You may also see device drivers with names that include text along the lines of "1394 controllers (OHCI compliant)."

You can determine if DMA is turned on or off on your hard drive in Linux/Unix/BSD computers by running a command similar to hdparm -d /dev/hda, where hda is the name of your hard drive (or other device you are checking for DMA functionality). Even if you don't think you have a DMA-enabled device, if you have external DMA-enabling ports, such as FireWire, PCI, PCI Express, Thunderbolt, Expresscard, PCMCIA, or Cardbus, it's highly likely someone can connect a DMA-enabled device to your computer and read the contents of memory.

Plug and play
The problem with DMA is that it's essentially turned on on bootup, requires no authentication to read and write memory areas, and significantly impacts the performance of your computer if you disable it. But it's quite easy to abuse. Simply walk up to a computer with a DMA-enabled accessible port or device, insert your own cable (USB, FireWire, and so on) connected to another computer or laptop, and run widely available software to read and write the other computer's memory.

I was a bit dubious about the ease with which DMA attacks could be accomplished during the early days of Windows Vista and BitLocker. At the time, I even heard (now substantiated) rumors of executives who had their laptops' data stolen while they were visiting foreign countries and taking a shower in their hotel room. Then a white-hat hacker grabbed my BitLocker-protected PC and was able to read the contents of my memory in less than two minutes.

1 2 Page 1
Page 1 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.