Don’t insert unfamiliar memory cards into your laptop: how SD Express resurrected DMA attacks

Positive Technologies experts reported that attackers can use SD Express memory cards to directly access system memory and hack the target device if they have physical access to it. This is possible thanks to the architectural features of new user devices that connect to the computer and have direct access to its memory through the DMA (Direct Memory Access) mechanism.

Image source: pexels.com

The SD Express standard, developed by the SD Association, combines the SD format with PCIe and NVMe protocols, allowing data transfer speeds of up to 985 MB/s for an SD memory card. To improve performance, which is necessary for working with large media files, PCIe Bus Mastering has been introduced into the standard, allowing SD cards to directly access system memory (DMA). Although this feature is designed to bypass processor bottlenecks to improve speed, it does not provide adequate protection against unauthorized memory access.

It has been determined that if an attacker has physical access to the target device, an attacker can use the DMA mechanism used in SD Express to increase data transfer rates to carry out sophisticated attacks on devices that support this standard. The company’s specialists showed how modified SD Express memory cards can bypass protection mechanisms such as the system IOMMU. This poses a serious threat to laptops, game consoles and other multimedia devices that support the SD Express standard.

Currently, support for the SD Express standard is mainly implemented in high-performance laptops in the premium segment. To attack such devices, attackers can use a specially modified device that looks like a memory card and is compatible with the target hardware interface to gain access to the PCIe bus. As a result, they can read and edit data in the device’s memory, inject malicious code, extract encryption keys and passwords, bypass operating system authentication, and disable security tools.

The company called the type of attacks through the DMA mechanism in SD Express DaMAgeCard. It is noted that in the coming years the standard will strengthen in the market, and its support will be implemented not only in premium laptops, but also in other consumer devices, including computers, video cameras, etc. In this case, DaMAgeCard attacks can become a convenient entry point for attackers, allowing them to attack devices without opening them.

Note that it is possible to protect against DaMAgeCard and similar DMA-based attacks. First, you need to avoid using unfamiliar SD cards. Second, the system can be configured to allow direct memory access only to trusted devices. Experts also recommend regularly checking connected devices, regularly updating firmware, implementing verification of SD Express cards using cryptographic signatures, and activating IOMMU on all PCIe-enabled devices.