Home » Features »

DMA attacks

For all users of Windows 10 and below: DMA attacks are on the rise.

Many people still use Windows 7, 8, and 8.1. However, with a plethora of updates from Microsoft asking users to make the switch to Windows 10, at least 50 percent of them have done so. Even so, research says users are still vulnerable to security risks. Here's why.

With the advent of Thunderbolt 3, Intel's new connectivity standard that combines Thunderbolt, USB, DisplayPort, and power, transferring information from one device to another has become easy. Unfortunately, this enhancement has also increased the attack surface of the above operating systems. Let's walk through the details of how the attack surface has broadened in the name of direct memory access (DMA) attacks.

What are DMA attacks?

A DMA attack is the exploitation of a computer's ports to access sensitive data. When an external device plugs into a computer, it automatically connects with the DMA. All the OS security policies are bypassed, allowing the connected device to access and directly read or write sensitive data, presenting an opportunity for a DMA attack.

What is Windows’ Kernel DMA Protection anyway?

Windows Defender Advanced Threat Protection offers a feature called Kernel DMA Protection that provides input-output memory management unit (IOMMU) protection for computers, allowing only legitimate devices included in a whitelist to connect to specific regions of the memory. The objective of this feature is to prevent DMA attacks via malicious devices, eliminate unauthorized file transfers, and prevent data leakage.

Drawbacks of Kernel DMA Protection

  • Kernel DMA Protection is available only in the hardwares that are newly released and that run from Windows 10 version 1803. Which means, systems that run on Windows 10 version 1803 but were released before the dawn of kernel DMA protection will not support it.
  • Kernel DMA Protection requires Unified Extensible Firmware Interface (UEFI) firmware support. It also requires BIOS/platform firmware changes and cannot be back ported to previously released devices, creating a challenge to existing Windows 10 1803 and below users as they have to purchase new hardware.
  • It has been reported by The HackerNews that the Thunderclap flaws have bypassed the IOMMU to re-enable DMA attacks. To top it off, Kernel DMA Protection does not protect against drive-by DMA attacks during boot, but only after the OS is loaded. Thus, if a malicious device is connected when the system is starting up, it could initiate a DMA attack.
  • You cannot switch from BIOS to UEFI in an existing system. Rather than upgrading to whole new hardware, you can simply use device control software that will provide your PCs the complete protection required to eliminate DMA attacks.

How to prevent DMA attacks?

If your organization runs on Windows 10 version 1803 and you are concerned that your computers are on the verge of DMA exploitation, you can protect your organization’s computers by implementing data loss prevention software like Device Control Plus.

Device Control Plus offers a multitude of features that cover every aspect of data loss prevention (DLP) for physical endpoints. Device Control Plus' Zero Trust model prevents the entry of unauthorized and malicious devices into your network by utilizing trusted device lists. Unless a device is included in the list, it will not have the privilege to access your endpoints. Learn more about trusted device lists here. Download a free, 30-day trial of Device Control Plus and try out these features today!