DMA attack in progress

An upcoming Windows 10 Insiders Build version will include a patch that will improve the protection against DMA attacks that could allow attackers to extract BitLocker encryption keys and other sensitive information from Windows 10 and 8.1 PCs.

DMA (Direct Memory Access) is an acronym used to describe hardware ports that allow external components to directly connect and access a computer's memory (RAM).
DMA attacks are a combo of software and hardware hacks that allow an intruder to obtain a computer's memory content via one of the computer's DMA ports.

Depending on the timing of his attack, the stolen memory data can contain sensitive information such as the BitLocker PIN, encryption keys, passwords, and others.

Researcher demoes DMA attack against protected PC

DMA attacks aren't new, and have existed since the 90s, and Microsoft introduced protections against such attack vectors with the release of Windows 8.1 and Windows 10.

Protection measures included certain group policies that would disable all DMA ports during startup, and would later freeze all DMA ports if the user locked his PC, but keep DMA ports open to data transfers if they were connected before the PC was locked.

According to Finish security expert Sami Laiho, the protection measures Microsoft introduced were inneffective and didn't cover all types of DMA ports.

This lead to situations where an attacker could extract data from DMA ports even if the computer's owner had enabled DMA port protections.

Laiho demoed one such attack via a FireWire port at the Microsoft Ignite conference last year. The attack's description and demo start at 44:55 in the video below:

Microsoft's DMA port protections were ineffective

Via email, Laiho has detailed some of Microsoft's problems with DMA ports and their protections:

"DMA-attacks were for years blocked with instructions from Microsoft," Laiho said. "They have been and are incorrect."

"In Windows 8.1 Microsoft said they had a feature that would not allow DMA-attacks if the computer was locked. This ended up being misinformation," Laiho noted.

"In Windows 10 Microsoft said this [DMA protection] feature was now in place and ON by default. This was misinformation as well as it is there but not ON by default, and [...] it doesn’t apply to all devices, only some." Laiho also added that "this [DMA protection feature] was configurable only for people who used Microsoft InTune MDM (very few)."

For the past few years, the researcher has been pestering the Microsoft security team to expand this protection. Last week, Microsoft finally admitted he was right.

"This [current] mitigation only protects PCI-based buses, for example, ExpressCard, Thunderbolt, & some docking stations (PCIe based). Older, non-PCI buses such as 1394 and CardBus are still vulnerable," Microsoft admitted.

Updated DMA attack protection coming in a few weeks

"They will provide a Group Policy setting in a few weeks to the Windows Insiders [Build] and later publicly," Laiho told Bleeping Computer. "This will still only protect against the more modern busses, so you need to use this and my instructions to make it a safe combo."

Visit Laiho's blog for updated instructions on how to properly shut down DMA ports running on old buses.