Recently disclosed “Thunderclap” vulnerabilities in Thunderbolt allow a malicious device to connect over Thunderbolt and acquire sensitive data from a Mac. The issue is said to affect nearly every Mac made since 2011.
Revealed at the Network and Distributed Systems Security Symposium on Tuesday, Thunderclap is a set of vulnerabilities that take advantage of issues with the way Thunderbolt operates. By misusing how Thunderbolt functions, a malicious device has the capability to access system memory without any oversight from operating systems.
Thunderclap takes advantage of how Thunderbolt peripherals and accessories are automatically considered to be trusted components of the Mac, even allowing direct memory access that bypasses the usual operating system policies, says security researcher Theo Markettos.
Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system.
Most hardware that includes a form of Thunderbolt connectivity is vulnerable, including computers with newer USB-C type ports, as well as older Mini DisplayPort connections. A dedicated Thunderclap website notes “all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch Macbook.”
Markettos says existing defense against the attacks are “very weak.”
The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively.
To begin with, most systems don’t enable the IOMMU at all. Windows 7, Windows 8, and Windows 10 Home and Pro didn’t support the IOMMU. Windows 10 Enterprise can optionally use it, but in a very limited way that leaves most of the system undefended. Linux and FreeBSD do support using the IOMMU, but this support is not enabled by default in most distributions. MacOS is the only OS we studied that uses the IOMMU out of the box.
Even if IOMMU is enabled, there are still more vulnerabilities available.
We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets. To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
The team of researchers working on the Thunderclap project include Theo Markettos, Colin Rothwell, Brett Gutstein, Allison Pearce, Peter Neumann, Simon Moore, and Robert Watson.
macOS 10.12.4 fixed a vulnerability that allowed administrator access, though it is believed “the more general scope of such attacks remain relevant.”
The attacks do require physical access to a Thunderbolt Mac, and a malicious peripheral hasn’t as yet been seen in the wild.
As is usual in case like this, we warn users to not plug in untrusted peripherals of any kind into their Mac, such as found USB drives of unknown origin.
