Thunderbolt 3 'Thunderclap' vulnerabilities let malicious peripherals attack a Mac's memor...
Vulnerabilities in Thunderbolt has been disclosed by security researchers, with "Thunderclap" allowing a device connecting over Thunderbolt to acquire sensitive data from the host Mac, an issue that affects almost all Macs released since 2011.
Revealed at the Network and Distributed Systems Security Symposium on Tuesday, Thunderclap is a set of vulnerabilities that take advantage of issues with the way Thunderbolt operates. By misusing how Thunderbolt functions, a malicious device has the capability to access system memory without any oversight from operating systems.
The main way Thunderclap works is due to how Thunderbolt peripherals and accessories are effectively considered to be trusted components of a computer, complete with direct memory access that can bypass operating system security policies, according to security researcher Theo Markettos. Thunderbolt offers devices "more privilege than regular USB devices," giving them more freedom and access to potentially sensitive information.
Practically all hardware with some form of Thunderbolt connection is affected, including those with USB Type-C ports and those with older Mini DisplayPort connections. In the case of Apple, a dedicated Thunderclap website notes "all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch Macbook."
Existing defenses of malicious devices exploiting DMA were deemed "very weak." One primary defense, the Input-Output Memory Management Unit (IOMMU,) in theory can force devices to only access memory required for a task and block off everything else, but not every operating system uses it.
It was found macOS is the only operating system to use IOMMU out of the box. Windows 7 to 10 Home and Pro don't support IOMMU, Windows 10 Enterprise has support but in a "very limited way" that doesn't offer adequate protection, and while Linux and FreeBSD do support IOMMU, it isn't enabled by default in most distributions.
It was also discovered that there are still more vulnerabilities available, even if IOMMU is enabled. By constructing a fake network card that functions to the operating system in a similar way to a real version, the team found it was capable of reading traffic from networks it wouldn't normally have access to, and on MacOS and FreeBSD, had the ability to start arbitrary programs as a system administrator.
The team of researchers working on the Thunderclap project include Theo Markettos, Colin Rothwell, Brett Gutstein, Allison Pearce, Peter Neumann, Simon Moore, and Robert Watson. The team has already been working with vendors since 2016, with many issuing patches and fixes to work around many of the vulnerabilities brought up by the researchers.
In the case of Apple, macOS fixed a vulnerability that allowed administrator access in an update to version 10.12.4 in 2016, though it is believed "the more general scope of such attacks remain relevant."
Such attacks would be unlikely to affect the vast majority of macOS users, as they would require physical access to a Thunderbolt Mac, and a malicious peripheral that does not appear to exist yet. Short of being exceptionally careless with security, the only time anyone is probably going to be affected by this sort of attack is if they are in an important position within an enterprise or of some importance to a government.
AppleInsider's general advice is to avoid plugging in random and untrusted peripherals of any sort into to a computer, such as "lost" USB drives of unknown origins, and to maintain the physical and software security of managed systems.
Revealed at the Network and Distributed Systems Security Symposium on Tuesday, Thunderclap is a set of vulnerabilities that take advantage of issues with the way Thunderbolt operates. By misusing how Thunderbolt functions, a malicious device has the capability to access system memory without any oversight from operating systems.
The main way Thunderclap works is due to how Thunderbolt peripherals and accessories are effectively considered to be trusted components of a computer, complete with direct memory access that can bypass operating system security policies, according to security researcher Theo Markettos. Thunderbolt offers devices "more privilege than regular USB devices," giving them more freedom and access to potentially sensitive information.
Practically all hardware with some form of Thunderbolt connection is affected, including those with USB Type-C ports and those with older Mini DisplayPort connections. In the case of Apple, a dedicated Thunderclap website notes "all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch Macbook."
Existing defenses of malicious devices exploiting DMA were deemed "very weak." One primary defense, the Input-Output Memory Management Unit (IOMMU,) in theory can force devices to only access memory required for a task and block off everything else, but not every operating system uses it.
It was found macOS is the only operating system to use IOMMU out of the box. Windows 7 to 10 Home and Pro don't support IOMMU, Windows 10 Enterprise has support but in a "very limited way" that doesn't offer adequate protection, and while Linux and FreeBSD do support IOMMU, it isn't enabled by default in most distributions.
It was also discovered that there are still more vulnerabilities available, even if IOMMU is enabled. By constructing a fake network card that functions to the operating system in a similar way to a real version, the team found it was capable of reading traffic from networks it wouldn't normally have access to, and on MacOS and FreeBSD, had the ability to start arbitrary programs as a system administrator.
The team of researchers working on the Thunderclap project include Theo Markettos, Colin Rothwell, Brett Gutstein, Allison Pearce, Peter Neumann, Simon Moore, and Robert Watson. The team has already been working with vendors since 2016, with many issuing patches and fixes to work around many of the vulnerabilities brought up by the researchers.
In the case of Apple, macOS fixed a vulnerability that allowed administrator access in an update to version 10.12.4 in 2016, though it is believed "the more general scope of such attacks remain relevant."
Such attacks would be unlikely to affect the vast majority of macOS users, as they would require physical access to a Thunderbolt Mac, and a malicious peripheral that does not appear to exist yet. Short of being exceptionally careless with security, the only time anyone is probably going to be affected by this sort of attack is if they are in an important position within an enterprise or of some importance to a government.
AppleInsider's general advice is to avoid plugging in random and untrusted peripherals of any sort into to a computer, such as "lost" USB drives of unknown origins, and to maintain the physical and software security of managed systems.
Comments
That said, I agree with Cia that this is a low risk for your average user. It's also not clear from the article whether your computer has to be running and/or unlocked for the hack to be executed. If your computer is turned off or even in sleep mode and password protected, can someone still use this to access the memory? I suspect the answer is 'yes' to the latter, but probably not the former.
As for whether the machine needs to be unlocked for the attack to work, no idea. That's a great question which I would expect to be answered in the original paper, which I have not yet read.
It is a bit alarming that--in theory--someone could construct a device that would allow them to plug into an (unlocked?) Mac and (with no human interaction) execute commands that should require admin access. Sure it requires physical access, but most of us trust that on-disk encryption and OS level controls give us pretty strong protection against even this type of hijack. Hopefully Apple will be able to address this before the headlines of "All the data on every Mac is vulnerable" hits the evening news.
T2 issues in newer Macs with USB and audio in particular are also disturbing. It's supposed to get better, not worse!