Security researchers have uncovered a critical vulnerability in the newly developed SD Express card standard, known as the “DaMAgeCard Attack,” which could potentially allow cyber attackers to gain unauthorized access to system memory through Direct Memory Access (DMA) attacks.
This vulnerability is attributed to the utilization of PCI Express (PCIe) technology in SD Express cards to achieve faster data transfer speeds, boosting performance up to 1000 MB/s compared to the 600 MB/s offered by traditional SD cards. However, this increased speed comes at the cost of heightened security risks, as it could enable malicious SD cards to directly access system memory.
According to the researchers, the trade-off between speed and security in the peripheral device industry is evident once again with this vulnerability. Demonstrating proof-of-concept attacks using modified SD Express adapters, the researchers were able to exploit this vulnerability and gain unauthorized memory access on various devices, including gaming laptops and handheld consoles.
The research team conducted tests on four different host devices that support SD Express, including an external card reader with a JMicron controller, a ThinkPad notebook, an MSI gaming laptop with an RTS5261 controller, and the AYANEO Air Plus gaming console. Of particular concern was the lack of Input/Output Memory Management Unit (IOMMU) protections on some devices, leaving them susceptible to memory access attacks.
Custom SD Express adapters with PCILeech capabilities were employed to execute the “DaMAgeCard” attacks, highlighting the simplicity with which attackers can exploit this vulnerability. Key vulnerabilities identified included the transition of SD Express cards between SDIO and PCIe/NVMe modes, the lack of encryption or credential checking during mode switching, and the absence of IOMMU protection on certain devices.
The expanding adoption of SD Express across a range of devices, from high-end gaming laptops to mid-range systems and embedded devices, increases the attack surface for potential exploitation of the DaMAgeCard vulnerability. Unlike previous DMA attack vectors, SD card slots are widely accessible, making this vulnerability more concerning.
Moreover, the availability of open-source tools for memory analysis and encryption attacks further enhances the exploitability of this vulnerability. Given the planned widespread use of SD Express in smartphones, cameras, gaming consoles, and other consumer electronics, addressing this security risk is crucial.
While IOMMU protection can help mitigate these risks, proper implementation is key. The researchers emphasize the importance for manufacturers to secure their implementations of SD Express to prevent these potential attacks. Without proper security controls in place, the DaMAgeCard vulnerability could pose a significant threat as SD Express adoption continues to grow.
The researchers from Positive Labs have published a detailed technical report on their findings, aiming to raise awareness about the security implications of this vulnerability. They urge manufacturers to implement adequate security measures before deploying SD Express technology on a large scale.
As history repeats itself with vulnerabilities reminiscent of past technologies like FireWire and Thunderbolt, it is essential for manufacturers and cybersecurity experts to address these issues to protect consumer data and safeguard against potential cyber threats.