SD Express Card Flaw Exposes Laptops and Consoles to Memory Attacks
A recent report by Positive Technologies has unveiled a significant vulnerability known as DaMAgeCard, which allows attackers to exploit SD Express memory cards for unauthorized access to system memory. This flaw takes advantage of the Direct Memory Access (DMA) feature that was introduced with SD Express to enhance data transfer speeds, but it simultaneously opens the door to sophisticated attacks targeting devices that support this standard.
Understanding DaMAgeCard
The vulnerability was discovered during routine investigations into SD Express by a team of embedded systems researchers at Positive Technologies. Since its introduction in 2018, the SD Express standard has been increasingly adopted for its PCIe-based data transfer capabilities, achieving speeds up to 985 MB/s. However, the researchers identified critical security gaps in how the industry has implemented DMA functionalities.
Through custom hardware modifications, they demonstrated successful memory access on various systems, including the MSI gaming laptop and AYANEO Air Plus handheld console. Their findings revealed a concerning lack of sufficient safeguards in devices transitioning between legacy SD protocol (SDIO) and PCIe modes.
Technical Insights
SD Express combines traditional SD technology with PCIe and NVMe protocols, enabling faster data handling essential for large media files. The introduction of PCIe Bus Mastering allows SD cards to access system memory directly, intended to alleviate CPU bottlenecks. Unfortunately, this implementation fails to adequately restrict unauthorized memory access, particularly when using components like the Realtek RTS5261 host controller.
Impacted Systems and Risks
While the adoption of SD Express is still limited, it is growing among high-end laptops, gaming consoles, and various media devices. The following systems are potentially at risk:
- Gaming Consoles: Devices like the AYANEO Air Plus lack IOMMU protection, allowing unfiltered memory access.
- Laptops: Even high-end models with IOMMU capabilities may be manipulated to permit unauthorized DMA access through modified SD Express cards.
- PCIe-based External Readers: These devices could also be exploited.
- Photography Equipment and Video Cameras: Any embedded systems that require high-speed data handling are vulnerable.
Recommended Safeguards
To protect against DaMAgeCard and similar DMA-based attacks, Positive Technologies recommends several measures:
- Activate IOMMU on all PCIe-capable devices.
- Restrict Direct Memory Access to trusted devices only.
- Apply Firmware Updates that enforce secure transitions between SDIO and PCIe modes or verify SD Express cards through cryptographic signatures before granting DMA privileges.
- Disable Hotplugging if not necessary to prevent unauthorized device connections.
- Avoid Using Unfamiliar SD Cards or external readers with sensitive systems.
- Regularly Inspect Devices for signs of tampering, especially in shared environments.
The DaMAgeCard vulnerability highlights the ongoing challenge of balancing performance with security in modern peripheral standards like SD Express. As adoption increases, it is crucial for device manufacturers to prioritize robust protections against DMA-based threats. Until comprehensive security measures are implemented, users must remain vigilant by updating their systems and limiting exposure to unverified devices.
Citations: [1] https://cyberinsider.com/sd-express-card-flaw-exposes-laptops-and-consoles-to-memory-attacks/