Break things, write reports

DMA attacks with the PCIscreamer

DMA attacks - more practical than you think, so much so that the average pentester could do it

Tags — | DMA attacks | pentesting | hardware | Categories: — Hardware | incident-response | backdoors |
Posted at — Aug 12, 2019

Tl;dr

Go buy a PCIescreamer and get easy local privesc, and with the lack of LAPS/decent auth in lots of environments, you too can break the ‘Enterprise Network(TM)’.

Less tl;dr

Thanks to the hard work of guys like Joe Fitzpatrick and Ulf Frisk, DMA attacks against most general purpose computers are now a thing even Pentesters can do.

I’ve been able to use the device sucessfully in a few engagements and it’s worked out pretty well, to the point where if you’re not considering it as part of your threat model (i.e. someone with a couple hundred bucks and physical access to a probably lost-but-not-yet-reported laptop) - you’re probably doing it wrong in security.

At time of writing, the PCIescreamer works out to be about $500 Australian Dollary-doos, and will probably get you easy domain admin in most places, thanks to poor admin practices.

I’m obviously not the first guy to realise this, as Synaktiv posted results on this back in 2018.