Flaws in existing protection methods are leaving some laptops from companies like Dell, HP, and others open to DMA attacks, according to a report issued today by researchers from the enterprise security company Eclypsium.
Both manufacturers have addressed the specific issue on the laptop models identified by the researchers today, but the need for increased protection against these forms of attack remains.
What is DMA?
Direct Memory Access (DMA) is a feature that gives some computer components high-speed access to your RAM without having to communicate with the CPU and OS. This avoids taxing the CPU and OS with the data transfer and, as the name suggests, allows for direct communication between the component and system memory.
Many modern computers rely on this method for fast data transfer with graphics cards, network cards, multi-core processors, disk drives, sound cards, and more.
What is a DMA attack?
Given the access it offers, it is of little surprise that DMA makes for an excellent attack vector. It can allow attackers to bypass OS security measures and read and write data to memory and obtain kernel-level privileges. This allows for all manner of malicious activity, such as monitoring all activity on the computer, installing malware, or creating backdoors for later access, to name just a few options.
Typically these attacks require physical access to your laptop, either via a port (Thunderbolt most commonly) on the laptop or by actually opening up the laptop’s case.
What laptops are affected?
Two laptops were specifically tested by the researchers in this case: the Dell XPS 13 2-in-1 and the HP ProBook 640 G4. However, it is important to note that the researchers simply chose these as recent popular enterprise options, and other hardware is likely to be vulnerable.
In the case of the Dell XPS 13 7390 2-in-1, the team used a closed-chassis DMA attack (meaning they left the laptop intact) and were able to conduct a pre-boot DMA attack over the Thunderbolt port.
The HP ProBook 640 G4 was breached by removing the back of the laptop case and replacing the M.2 wireless card with a Xilinx SP605 FPGA development platform. Using this hardware allowed them to circumvent the HP Sure Start protection which would typically verify the BIOS security during the boot process.
What can you do?
For owners of the two laptops in question, there are fixes available from Dell and HP respectively in the form of BIOS updates (opens in new tab).
Looking beyond these two laptops, the best steps you can take are ensuring the physical security of your hardware and making sure your system is kept up-to-date. While both of these attacks require direct access to the laptop itself, it is possible to conduct a remote DMA attack via software or over a network.
On a larger scale, the industry is working to build greater protections against these kinds of attacks. Microsoft’s Secured-core PC initiative is one such example cited by the Eclypsium researchers. As the response to this report has shown, the existing protections like HP Sure Start, Intel Boot Guard, UEFI Secure Boot, and Microsoft’s Virtualization-Based Security must continue to evolve with the threats.