PicoDMA: DMA Attacks at Your Fingertips

Conference:  BlackHat USA 2019



The presentation discusses the development of a software implant called PCI Leach, which can compromise air-gapped machines and extract sensitive credentials using FPGA and Pico EVB platforms.
  • The Pico EVB is a flexible platform for DNA research and can be used for cyber attacks
  • PCI Leach is a software implant that can compromise air-gapped machines and extract sensitive credentials
  • The development of PCI Leach faced challenges but was successful
  • Live demos were conducted to show the effectiveness of PCI Leach
The presenters demonstrated the effectiveness of PCI Leach by conducting live demos on an air-gapped machine. They were able to compromise the machine and extract sensitive credentials using the software implant. The development of PCI Leach faced challenges, but the presenters were able to overcome them and successfully create the implant.


Direct Memory Access (DMA) attacks are typically performed in real-time by an attacker that gains physical access to a high-speed expansion port on a target device, and can be used to recover full disk encryption keys and other sensitive data from memory, bypass authentication, or modify process memory to facilitate backdoor access. To conduct the attack, an attacker connects a hardware device to a victim's Thunderbolt or ExpressCard port and reads physical memory pages from the target. Recent research has demonstrated the practicality and scope of these attacks to a general audience. Notable work includes Ulf Frisk's PCILeech framework, Trammel Hudson's Apple EFI firmware research ('Thunderstrike' I/II), the SLOTSCREAMER hardware implant by Joe Fitz, and most recently the release of the 'ThunderClap' tool and related academic research.Continuing in this vein, this talk will present PicoDMA: a stamp sized DMA attack platform that leverages the tiny (22 x 30 x 3.8mm), affordable (~$220 USD) PicoEVB FPGA board from RHS Research, LLC. The PicoEVB is no larger than a laptop's network card but well provisioned: this M.2 2230 form-factor board includes a Xilinx Artix-7 FPGA, and supports expansion via digital and analog I/O connectors. On its own, the PicoEVB, combined with our software, facilitates DMA security research at a more affordable price point. For real-world DMA attacks, the small size makes the PicoEVB easily embeddable in space-constrained platforms like laptops and routers. We support out-of-band management and payload delivery using radio modules including 802.11, cellular, and LoRA. Adding wireless capabilities to our platform allows interesting variations of a number of existing attacks that will be discussed.Our talk will include live demos and a public software release. Attendees will gain an enriched perspective on the risks posed by hardware implants and DMA attacks.