Safety researchers have recognized a big vulnerability dubbed “DaMAgeCard Assault” within the new SD Categorical card commonplace that might enable attackers to instantly entry system reminiscence via Direct Reminiscence Entry (DMA) assaults.
The vulnerability stems from SD Categorical playing cards’ use of PCI Categorical (PCIe) expertise to realize sooner knowledge switch speeds.
Whereas this delivers spectacular efficiency beneficial properties of as much as 1000 MB/s in comparison with conventional SD playing cards’ 600 MB/s, it additionally introduces critical safety dangers by probably permitting malicious SD playing cards to instantly entry system reminiscence.
“The peripheral machine business has as soon as once more sacrificed safety within the title of velocity,” famous the researchers.
They efficiently demonstrated proof-of-concept assaults utilizing modified SD Categorical adapters to achieve unauthorized reminiscence entry on a number of units, together with gaming laptops and handheld consoles.
The analysis crew examined 4 completely different host units that help SD Categorical.
- An exterior card reader with JMicron controller
- A ThinkPad pocket book
- An MSI gaming laptop computer with RTS5261 controller
- The AYANEO Air Plus gaming console
Most regarding was that whereas some units had Enter/Output Reminiscence Administration Unit (IOMMU) protections enabled, others just like the AYANEO console had no such safeguards, leaving them fully weak to reminiscence entry assaults.
Leveraging 2024 MITRE ATT&CK Outcomes for SME & MSP Cybersecurity Leaders – Attend Free Webinar
How does DaMAgeCard Assault Work?
The researchers created customized SD Categorical adapters with PCILeech capabilities to execute these “DaMAgeCard” assaults, demonstrating how comparatively easy it’s for attackers to use this vulnerability.
Their analysis exhibits that some techniques have IOMMU (Enter/Output Reminiscence Administration Unit) safety, however quite a lot of units both don’t have this safety function or have it arrange incorrect. Key vulnerabilities embody:
- SD Categorical playing cards can transition between SDIO and PCIe/NVMe modes, with the PCIe mode enabling direct reminiscence entry
- The dearth of encryption or credential checking throughout mode switching
- Many units, particularly gaming handhelds just like the AYANEO Air Plus, function with out IOMMU safety
- Even with IOMMU enabled, identified bypass strategies exist via driver vulnerabilities and implementation flaws
The assault floor is increasing as SD Categorical adoption grows throughout numerous units, from high-end gaming laptops to mid-range techniques and embedded units.
DaMAgeCard vulnerability is especially regarding as a result of not like earlier DMA assault vectors (equivalent to FireWire or Thunderbolt), SD card slots are extensively obtainable and accessible.
Moreover, the provision of open-source instruments for reminiscence evaluation and encryption assaults makes this vulnerability extra exploitable than historic DMA assault vectors.
Provided that SD Categorical is ready to be extensively utilized in smartphones, cameras, gaming consoles, and different shopper devices, that is particularly regarding.
Whereas IOMMU safety may help mitigate these dangers when correctly carried out, the researchers famous that many units both lack this safety or have it improperly configured.
They warn that as SD Categorical adoption grows, this might turn out to be a big assault vector until producers take steps to correctly safe their implementations.
As one researcher famous, “Historical past has taken us full circle,” referring to related vulnerabilities present in earlier applied sciences like FireWire and Thunderbolt.
Researchers from Optimistic Labs revealed their findings in an in depth technical report and has launched their findings to assist elevate consciousness about these safety implications as SD Categorical adoption continues to develop throughout shopper electronics markets.
Producers are suggested to rigorously contemplate implementing correct safety controls earlier than extensively deploying this expertise.
Analyse Actual-World Malware & Phishing Assaults With ANY.RUN - Rise up to three Free Licenses