The legitimate uses of such devices have led to wide adoption of DMA accessories and connections, but an attacker can equally use the same facility to create an accessory that will connect using the same port, and can then potentially gain direct access to part or all of the physical memory address space of the computer, bypassing all OS security mechanisms and any lock screen, to read all that the computer is doing, steal data or cryptographic keys, install or run spyware and other exploits, or modify the system to allow backdoors or other malware.
On many computers, the connections implementing DMA can also be disabled within the BIOS or UEFI if unused, which depending on the device can nullify or reduce the potential for this type of exploit.
In addition to containing damage that may be caused by software flaws and allowing more efficient use of physical memory, this architecture forms an integral part of the security of the operating system.
However, kernel-mode drivers, many hardware devices, and user-mode vulnerabilities allow direct, unimpeded access of the physical memory address space.
The OHCI 1394 specification allows devices, for performance reasons, to bypass the operating system and access physical memory directly without any security restrictions.
Another application known to exploit this vulnerability to gain unauthorized access to running Windows, Mac OS and Linux computers is the spyware FinFireWire.
[10] But as of 2019, the major OS vendors had not taken into account the variety of ways that a malicious device could take advantage of complex interactions between multiple emulated peripherals, exposing subtle bugs and vulnerabilities.