Thunderbolt 3 'Thunderclap' vulnerabilities let malicious peripherals attack a Mac's memor...

Posted:
in macOS
Vulnerabilities in Thunderbolt has been disclosed by security researchers, with "Thunderclap" allowing a device connecting over Thunderbolt to acquire sensitive data from the host Mac, an issue that affects almost all Macs released since 2011.




Revealed at the Network and Distributed Systems Security Symposium on Tuesday, Thunderclap is a set of vulnerabilities that take advantage of issues with the way Thunderbolt operates. By misusing how Thunderbolt functions, a malicious device has the capability to access system memory without any oversight from operating systems.

The main way Thunderclap works is due to how Thunderbolt peripherals and accessories are effectively considered to be trusted components of a computer, complete with direct memory access that can bypass operating system security policies, according to security researcher Theo Markettos. Thunderbolt offers devices "more privilege than regular USB devices," giving them more freedom and access to potentially sensitive information.

Practically all hardware with some form of Thunderbolt connection is affected, including those with USB Type-C ports and those with older Mini DisplayPort connections. In the case of Apple, a dedicated Thunderclap website notes "all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch Macbook."

Existing defenses of malicious devices exploiting DMA were deemed "very weak." One primary defense, the Input-Output Memory Management Unit (IOMMU,) in theory can force devices to only access memory required for a task and block off everything else, but not every operating system uses it.

It was found macOS is the only operating system to use IOMMU out of the box. Windows 7 to 10 Home and Pro don't support IOMMU, Windows 10 Enterprise has support but in a "very limited way" that doesn't offer adequate protection, and while Linux and FreeBSD do support IOMMU, it isn't enabled by default in most distributions.

It was also discovered that there are still more vulnerabilities available, even if IOMMU is enabled. By constructing a fake network card that functions to the operating system in a similar way to a real version, the team found it was capable of reading traffic from networks it wouldn't normally have access to, and on MacOS and FreeBSD, had the ability to start arbitrary programs as a system administrator.

The team of researchers working on the Thunderclap project include Theo Markettos, Colin Rothwell, Brett Gutstein, Allison Pearce, Peter Neumann, Simon Moore, and Robert Watson. The team has already been working with vendors since 2016, with many issuing patches and fixes to work around many of the vulnerabilities brought up by the researchers.

In the case of Apple, macOS fixed a vulnerability that allowed administrator access in an update to version 10.12.4 in 2016, though it is believed "the more general scope of such attacks remain relevant."

Such attacks would be unlikely to affect the vast majority of macOS users, as they would require physical access to a Thunderbolt Mac, and a malicious peripheral that does not appear to exist yet. Short of being exceptionally careless with security, the only time anyone is probably going to be affected by this sort of attack is if they are in an important position within an enterprise or of some importance to a government.

AppleInsider's general advice is to avoid plugging in random and untrusted peripherals of any sort into to a computer, such as "lost" USB drives of unknown origins, and to maintain the physical and software security of managed systems.

Comments

  • Reply 1 of 12
    MacProMacPro Posts: 18,352member
    So spy movies can now show secret agents plugging TB3 dongles into corporate Macs to download secrets instead of USB dongles into PCs.
    cgWerks
  • Reply 2 of 12
    ciacia Posts: 81member
    While any vulnerability is a bad thing, the type of attack outlined here in this article should generally be of no concern to average users.
    williamlondon
  • Reply 3 of 12
    cia said:
    While any vulnerability is a bad thing, the type of attack outlined here in this article should generally be of no concern to average users.
    "AppleInsider's general advice is to avoid plugging in random and untrusted peripherals of any sort into to a computer"

    Many average users commonly share data via flash drives.  And with USB-C used as power the risk increases.

    williamlondon
  • Reply 4 of 12
    MplsPMplsP Posts: 1,547member
    cia said:
    While any vulnerability is a bad thing, the type of attack outlined here in this article should generally be of no concern to average users.
    "AppleInsider's general advice is to avoid plugging in random and untrusted peripherals of any sort into to a computer"

    Many average users commonly share data via flash drives.  And with USB-C used as power the risk increases.

    Not to mention the fact that with USB being combined with Thunderbolt using the USB C connector you can't tell the difference between an USB device and a thunderbolt device based on the plug like you used to be able to.

    That said, I agree with Cia that this is a low risk for your average user. It's also not clear from the article whether your computer has to be running and/or unlocked for the hack to be executed. If your computer is turned off or even in sleep mode and password protected, can someone still use this to access the memory? I suspect the answer is 'yes' to the latter, but probably not the former.
  • Reply 5 of 12
    How come the 12" MacBook is not affected?
  • Reply 6 of 12
    zimmiezimmie Posts: 272member
    How come the 12" MacBook is not affected?
    12" MacBook doesn't have Thunderbolt. USB 3 still allows DMA, so it might be affected, but differently.
  • Reply 7 of 12
    zimmiezimmie Posts: 272member
    MplsP said:
    cia said:
    While any vulnerability is a bad thing, the type of attack outlined here in this article should generally be of no concern to average users.
    "AppleInsider's general advice is to avoid plugging in random and untrusted peripherals of any sort into to a computer"

    Many average users commonly share data via flash drives.  And with USB-C used as power the risk increases.

    Not to mention the fact that with USB being combined with Thunderbolt using the USB C connector you can't tell the difference between an USB device and a thunderbolt device based on the plug like you used to be able to.

    That said, I agree with Cia that this is a low risk for your average user. It's also not clear from the article whether your computer has to be running and/or unlocked for the hack to be executed. If your computer is turned off or even in sleep mode and password protected, can someone still use this to access the memory? I suspect the answer is 'yes' to the latter, but probably not the former.
    This attack is not effective against a target which is entirely powered off. It also shouldn't work against targets which are sleeping. Where this gets complicated is Power Nap. Most current Macs wake themselves up periodically and wake up their network cards to check for new messages and so on. I would expect this to work against a machine when it wakes up for Power Nap updates as well as it would work against the machine when awake but locked.

    As for whether the machine needs to be unlocked for the attack to work, no idea. That's a great question which I would expect to be answered in the original paper, which I have not yet read.
    GeorgeBMac
  • Reply 8 of 12
    It sounds like the researchers in this case are performing a valuable service to the community and working responsibly with companies like Apple, so that this can addressed.

    It is a bit alarming that--in theory--someone could construct a device that would allow them to plug into an (unlocked?) Mac and (with no human interaction) execute commands that should require admin access.  Sure it requires physical access, but most of us trust that on-disk encryption and OS level controls give us pretty strong protection against even this type of hijack.  Hopefully Apple will be able to address this before the headlines of "All the data on every Mac is vulnerable" hits the evening news.
    GeorgeBMac
  • Reply 9 of 12
    I just bought a couple of USB A to USB C dongles that I am using with the Thunderbolt 3/USB C ports on my new Mac mini. Can such a dongle be turned into a malicious device? If so, is there a way to determine if the hardware you are using is "clean"? My guess is that the dongles are harmless, but it would be nice to know for sure.
    cornchip
  • Reply 10 of 12
    cpsrocpsro Posts: 2,475member
    Glad to know about this. Another reason to be wary of hardware made in China.
    cornchipjony0
  • Reply 11 of 12
    cgWerkscgWerks Posts: 2,273member
    larz2112 said:
    I just bought a couple of USB A to USB C dongles that I am using with the Thunderbolt 3/USB C ports on my new Mac mini. Can such a dongle be turned into a malicious device? If so, is there a way to determine if the hardware you are using is "clean"? My guess is that the dongles are harmless, but it would be nice to know for sure.
    Wait until they have built-in 5G and just transmit any data they can, 'home'. :)
  • Reply 12 of 12
    So, does this support of IOMMU mean that a Mac with ONLY Mac OS and no virtual machine is still probably safe?
Sign In or Register to comment.