DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed “DaMAgeCard Attack” in the new SD Express card standard that could allow attackers to directly access system memory through Direct Memory Access (DMA) attacks.

The vulnerability stems from SD Express cards’ use of PCI Express (PCIe) technology to achieve faster data transfer speeds.

While this delivers impressive performance gains of up to 1000 MB/s compared to traditional SD cards’ 600 MB/s, it also introduces serious security risks by potentially allowing malicious SD cards to directly access system memory.

“The peripheral device industry has once again sacrificed security in the name of speed,” noted the researchers.

They successfully demonstrated proof-of-concept attacks using modified SD Express adapters to gain unauthorized memory access on multiple devices, including gaming laptops and handheld consoles.

The research team tested four different host devices that support SD Express.

• An external card reader with JMicron controller
• A ThinkPad notebook
• An MSI gaming laptop with RTS5261 controller
• The AYANEO Air Plus gaming console

Most concerning was that while some devices had Input/Output Memory Management Unit (IOMMU) protections enabled, others like the AYANEO console had no such safeguards, leaving them completely vulnerable to memory access attacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

How does DaMAgeCard Attack Work?

The researchers created custom SD Express adapters with PCILeech capabilities to execute these “DaMAgeCard” attacks, demonstrating how relatively simple it is for attackers to exploit this vulnerability.

Their research shows that some systems have IOMMU (Input/Output Memory Management Unit) protection, but a lot of devices either don’t have this security feature or have it set up wrong. Key vulnerabilities include:

• SD Express cards can transition between SDIO and PCIe/NVMe modes, with the PCIe mode enabling direct memory access
• The lack of encryption or credential checking during mode switching
• Many devices, especially gaming handhelds like the AYANEO Air Plus, operate without IOMMU protection
• Even with IOMMU enabled, known bypass techniques exist through driver vulnerabilities and implementation flaws

The attack surface is expanding as SD Express adoption grows across various devices, from high-end gaming laptops to mid-range systems and embedded devices.

DaMAgeCard vulnerability is particularly concerning because unlike previous DMA attack vectors (such as FireWire or Thunderbolt), SD card slots are widely available and accessible.

Additionally, the availability of open-source tools for memory analysis and encryption attacks makes this vulnerability more exploitable than historical DMA attack vectors.

Given that SD Express is set to be widely used in smartphones, cameras, gaming consoles, and other consumer gadgets, this is especially concerning.

While IOMMU protection can help mitigate these risks when properly implemented, the researchers noted that many devices either lack this protection or have it improperly configured.

They warn that as SD Express adoption grows, this could become a significant attack vector unless manufacturers take steps to properly secure their implementations.

As one researcher noted, “History has taken us full circle,” referring to similar vulnerabilities found in previous technologies like FireWire and Thunderbolt.

Researchers from Positive Labs revealed their findings in a detailed technical report and has released their findings to help raise awareness about these security implications as SD Express adoption continues to grow across consumer electronics markets.

Manufacturers are advised to carefully consider implementing proper security controls before widely deploying this technology.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses