Macs 'partially affected' by unpatchable Thunderbolt security exploit

Posted:
in General Discussion edited September 2020
A security researcher has discovered a Thunderbolt vulnerability that could allow attackers to bypass system defenses and access the contents of a locked computer's drive in minutes -- with Boot Camp installs of Windows and Linux susceptible to the attack.

With just a few minutes of physical access to a laptop, Thunderspy could allow an attacker to bypass all of its security and encryption mechanisms. Credit: Bjorn Ruytenberg
With just a few minutes of physical access to a laptop, Thunderspy could allow an attacker to bypass all of its security and encryption mechanisms. Credit: Bjorn Ruytenberg


Developed and maintained by Intel, Thunderbolt is a common port standard found in millions of consumer PCs, including Apple Macs. Certain features of the Thunderbolt interface have raised concerns among security experts for years, however.

On Sunday, Bjorn Ruytenberg, a security researcher at Eindhoven University of Technology, published details about a new vulnerability he's dubbing "Thunderspy." With just a few minutes of physical access and a couple of hundred dollars of easily purchased equipment, the vulnerability could allow an attacker to bypass a computer's security mechanisms -- even if it's locked and its hard drive is encrypted.

Ruytenberg demonstrated a proof-of-concept of the Thunderspy flaw, which allows attackers to disable the Security Levels feature of Thunderbolt standard, on a Lenovo Thinkpad in a YouTube video.





The process involves unscrewing the backplate of the laptop, interfacing with the Thunderbolt controller with a single-board computer, rewriting the controller firmware and disabling security features. As a result of the exploit, Ruytenberg was able to bypass the password lock screen on the device in just five minutes.

It's a good example of what security experts call an "evil maid attack," which refers to types of hacking that require physical access to a device -- such as a laptop left alone in a hotel room.

The vulnerability, which is unpatchable by software, affects all Thunderbolt-equipped PCs manufactured before 2019, though macOS devices are only "partially affected." That's because Apple's macOS uses its own security mechanisms, such as a device whitelist, IOMMU virtualization and Kernel Direct Access Memory (DMA) protections.

Vulnerabilities in Intel's Thunderbolt connector standard aren't new, and researchers have long been concerned about speed-enhancing features like more direct access to a system's memory. In early 2019, researchers published a flaw dubbed "Thunderclap" that could allow USB-C or DisplayPort devices to compromise Mac and other PC systems.

In the wake of that vulnerability, researchers recommended that users take advantage of an Intel security feature called "Security Levels" -- the exact mechanism that Thunderspy allows attackers to bypass.

Intel claims that it addressed the vulnerability last year, but Wired found that its security fix hasn't yet been widely implemented in many machines.

Ruytenberg has also created a tool called Spycheck for Windows and Linux, which allows consumers to test whether their machines are vulnerable. If they are, he recommends disabling Thunderbolt ports entirely as the only real way to mitigate the flaw.

The Thunderbolt 3 protocol is also due to be added to USB4, which means that upcoming computers and accessories could be impacted by Thunderspy. Ruytenberg notes that more testing is required to confirm that, however.

What Thunderspy means for Mac users

In practical terms, attackers won't be able to disable the macOS lock screen or perform other attacks like they could if they had physical access to the device, as long as a user is running macOS instead of Windows or Linux via Boot Camp. Macs running Windows or Linux on Boot Camp, however, are just as vulnerable as other PCs.

The Thunderbolt flaw still leaves macOS devices vulnerable to some security workarounds, such as cloning the identity of a device on Apple's peripheral whitelist to an attacker device. That could open the door to other types of exploits similar to BadUSB, which describes a series of port-based attacks delivered by malicious USB devices.

Exploiting the vulnerability on macOS is still going to require physical access to a device, and since the scope of the attack is more limited on Apple's software due to built-in protections, the average macOS user is at a lower risk than those that run Windows or Linux. It's really only going to be a concern for already high-risk individuals.

While most macOS users are going to largely safe from most of the repercussions of the vulnerability, it's still a good idea to avoid plugging in untrusted peripherals or storage devices, and control of physical access to devices remains paramount.

Comments

  • Reply 1 of 17
    tracertracer Posts: 11member
    An Apple computer running Windows or Linux can be compromised, not a Mac. A Mac is an Apple computer running MacOs.
    baconstangwatto_cobra
  • Reply 2 of 17
    cpsrocpsro Posts: 2,827member
    Anybody know why a Mac running Windows or Linux is vulnerable and why that hole couldn't be plugged with software?
    edited May 2020 watto_cobra
  • Reply 3 of 17
    mjtomlinmjtomlin Posts: 2,428member
    cpsro said:
    Anybody know why a Mac running Windows or Linux is vulnerable and why that hole couldn't be plugged with software?

    As the article mentioned, it's because Windows and Linux machines make use of the security features that are built into the Thunderbolt controller firmware. macOS does not - it uses Apple's own security system.
    pscooter63watto_cobra
  • Reply 4 of 17
    sflocalsflocal Posts: 5,619member
    I’m sure China is watching closely.
    elijahgwatto_cobra
  • Reply 5 of 17
    Dan_DilgerDan_Dilger Posts: 1,583member
    mjtomlin said:
    cpsro said:
    Anybody know why a Mac running Windows or Linux is vulnerable and why that hole couldn't be plugged with software?

    As the article mentioned, it's because Windows and Linux machines make use of the security features that are built into the Thunderbolt controller firmware. macOS does not - it uses Apple's own security system.
    Correct. The report notes:

    MacOS: Regarding Thunderbolt security, MacOS employs (i) an Apple-curated whitelist in place of Security Levels [7], and (ii) IOMMU virtualization when hardware and driver support is available [1][3]. Vulnerabilities 2–3 enable bypassing the first protection measure, and fully compromising authenticity of Thunderbolt device metadata in MacOS “System Information”. However, the second protection measure remains functioning and hence prevents any further impact on victim system security via DMA.


    watto_cobra
  • Reply 6 of 17
    NYC362NYC362 Posts: 14member
    It is important to note that on newer MacBooks, soon as you open up the case, the T2 security chip sees it and wipes the SSD.  
    watto_cobra
  • Reply 7 of 17
    gatorguygatorguy Posts: 22,913member
    NYC362 said:
    It is important to note that on newer MacBooks, soon as you open up the case, the T2 security chip sees it and wipes the SSD.  
    Seriously? 
  • Reply 8 of 17
    gatorguygatorguy Posts: 22,913member
    mjtomlin said:
    cpsro said:
    Anybody know why a Mac running Windows or Linux is vulnerable and why that hole couldn't be plugged with software?

    As the article mentioned, it's because Windows and Linux machines make use of the security features that are built into the Thunderbolt controller firmware. macOS does not - it uses Apple's own security system.
    Correct. The report notes:

    MacOS: Regarding Thunderbolt security, MacOS employs (i) an Apple-curated whitelist in place of Security Levels [7], and (ii) IOMMU virtualization when hardware and driver support is available [1][3]. Vulnerabilities 2–3 enable bypassing the first protection measure, and fully compromising authenticity of Thunderbolt device metadata in MacOS “System Information”. However, the second protection measure remains functioning and hence prevents any further impact on victim system security via DMA.


    You deleted part of the quotation, the last sentence, which has info some posters (admittedly probably a small number) in an enterprise environment might want to be aware of:
    "...The system becomes vulnerable to attacks similar to BadUSB. Therefore, MacOS is partially affected."

    EDIT: Well this is somewhat surprising, Microsoft is well aware that Thunderbolt security is lacking which is why Surface computers won't offer it. A few weeks ago they were asked "why not" and an MS engineer answered.

    "No Surface device has Thunderbolt. Why not? Because that’s a direct memory access port,” explains the Microsoft employee. “If you have a well prepared stick that you can put into the direct memory access port, then you can access the full device in memory and all data that’s stored in memory. We don’t believe, at this moment, that Thunderbolt can deliver the security that’s really needed from the devices.”

    edited May 2020 ctt_zhcornchipjony0
  • Reply 9 of 17
    longfanglongfang Posts: 230member
    I’ve always gone with the mindset that it was game over if the attacker had physical access to my hardware.
    dkddkdpscooter63viclauyyccornchipwatto_cobra
  • Reply 10 of 17
    NYC362NYC362 Posts: 14member
    gatorguy said:
    NYC362 said:
    It is important to note that on newer MacBooks, soon as you open up the case, the T2 security chip sees it and wipes the SSD.  
    Seriously? 
    That's what I've been told by several Genius Bar people.  
    watto_cobra
  • Reply 11 of 17
    Mike WuertheleMike Wuerthele Posts: 6,164administrator
    NYC362 said:
    gatorguy said:
    NYC362 said:
    It is important to note that on newer MacBooks, soon as you open up the case, the T2 security chip sees it and wipes the SSD.  
    Seriously? 
    That's what I've been told by several Genius Bar people.  
    This is not the case.
    gatorguycaladanianpscooter63fastasleepcornchip
  • Reply 12 of 17
    neilmneilm Posts: 885member
    NYC362 said:
    It is important to note that on newer MacBooks, soon as you open up the case, the T2 security chip sees it and wipes the SSD.  
    So not true.

    That said, there are "no user serviceable parts within", so generally not much point in opening up a current laptop.
    watto_cobra
  • Reply 13 of 17
    mknelsonmknelson Posts: 748member
    neilm said:
    NYC362 said:
    It is important to note that on newer MacBooks, soon as you open up the case, the T2 security chip sees it and wipes the SSD.  
    So not true.

    That said, there are "no user serviceable parts within", so generally not much point in opening up a current laptop.
    And it's a pretty silly suggestion to boot - otherwise how would a service department open the laptop for other repairs such as battery replacement, speakers, etc.
    pscooter63cornchipelijahg
  • Reply 14 of 17
    MplsPMplsP Posts: 3,052member
    Not to worry - it requires access the the thunderbolt controller and thanks to the $#&* pentalobe security screws, no one can get in anyway! :tongue: 

    viclauyycwatto_cobra
  • Reply 15 of 17
    digitoldigitol Posts: 233member
    Evil maid haha!  I'm never concerned over these type of "exploits". Besides, any real Mac user would never be found without their Macs in their hands for more than 10 minutes anyhow!!!!!  :D
    edited May 2020
  • Reply 16 of 17
    MissNomerMissNomer Posts: 22member
    tracer said:
    An Apple computer running Windows or Linux can be compromised, not a Mac. A Mac is an Apple computer running MacOs.
    Total abject rubbish.

    A Mac is a Intel based computer capable of running OSX, Windows or Linux. What makes it a Mac is some very specific hardware that OSX is ideally suited to take advantage of.

    That said, just like computers from Dell, Lenovo etc. the Mac is capable of running other non Apple written operating systems.
    elijahgwatto_cobra
  • Reply 17 of 17
    tommy65tommy65 Posts: 56member
    This might open a door to extra security measures inside as done with the for example Pinpads from Hypercom. Just add a none removable type of glue over the internals with cooling capabilities and no one can access any internals even after opening thé lid. Not that I am waiting for such a device but hey it happened to pinpads I used to crack open repaired and replaced internals.
Sign In or Register to comment.