Usually, our focus is on ensuring no vulnerabilities are present in a computer system to guard it against remote attacks. However, it is imperative to realize that attacks conducted using physical access are also a possibility and need to be dealt with.
One such example is a direct memory access (DMA) attack in which an attacker can plug in a malicious device into one’s computer and extract highly confidential information such as passwords, banking information, browsing records and much more.
This happens because the connected peripheral gains higher privileges through how it manipulates the memory and therefore can conduct tasks that would not be possible under normal circumstances for such devices.
Furthermore, the process occurs very quickly as both the operating system and the CPU are bypassed by manipulating an inherent direct memory access capability reserved for legitimate devices allowing the infected devices to directly read/write to the system memory as well.
In light of this, recently Eclypsium, a security firm found out that even today enterprise-grade laptops remain vulnerable to such attacks despite their being many incidents in the past. Selecting HP and Dell laptops, they tested these devices to see if their inbuilt DMA attack protection would be effective. The results were not amusing since 2 different vulnerabilities were found in the devices.
The first one was in Dell’s XPS 13 7390 2-in-1 convertible laptops released in October last year and was found vulnerable to pre-boot DMA attacks. Eclypsium explains stating,
“We were able to perform DMA code injection directly over Thunderbolt during the boot process.” Elaborating further, “This issue in the firmware settings of the device was due to an insecure default BIOS configuration in the XPS 13 7390, which was set to “Enable Thunderbolt (and PCIe behind TBT) pre-boot modules.”
It has now patched by Dell through a release of the Dell Client BIOS in which the “enable Thunderbolt” option has been turned off by default. Moreover, Dell has published a security advisory telling users to update their BIOS to patch the vulnerability at hand along with putting forward the claim that only this one specific model has been affected.
The second vulnerability was in HP’s ProBook 640 G4 which was made possible by physically opening the case, also known as the chassis of the laptop.
Once opened, they then replaced the existing M2 wireless card with a “Xilinx SP605 FPGA development platform” that allowed them to modify the system’s RAM helping them in arbitrary code execution(ACE) which led to success in the attack.
This is exactly why even HP Sure Start was not able to prevent the attack as it is designed to “to verify the integrity of the BIOS before the CPU executes its first line of code” and hence would only guard against closed chassis attacks. HP has also released an update on 20 January in response to this.
Keeping the aforementioned examples in mind as tested, it is vital to note that other models of not only HP & Dell but also of other manufacturers may be vulnerable. Some through pre-boot processes and some through other ways such as remote DMA attacks.
Yes, they’re possible remotely too and hence it is important that these companies step up their efforts in penetration testing of their existing protection mechanisms. We have seen this with Microsoft launching its Secured Core PC Initiative in October 2019, let’s hope other companies follow suit.