SECURITY BOFFINS have uncovered a flaw in the Thunderbolt specification that could leave PCs and Macs open to attack through USB-C and DisplayPort peripherals.
Dubbed 'Thunderclap' by cybersecurity researcher Theo Markettos and fellow boffins, the vulnerability allows hackers to exploit the privileged direct-memory access (DMA) provided through the speedy Thunderbolt connection to get access to the workings of a targeted gadget.
That access could allow hackers to carry out the usual pilfering of passwords and encryption keys, the executing of malicious code and user tracking.
"We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak," said Markettos.
"The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively."
Markettos explained that Windows 7, 8, 10 Home and Pro don't support IOMMU and even Windows 10 Enterprise doesn't really use it properly.
This effectively means that the OS-level access that Thunderbolt-compatible devices are granted, such as 4K monitors and external GPU enclosures, makes a machine more vulnerable to attacks that gain privileged access to a system.
Admittedly, that would mean hacking a Thunderbolt accessory or peripheral. Given the resourceful nature of hackers, we'd be surprised if that would pose an insurmountable challenge for some of the better code wranglers.
"We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets," said Markettos.
"To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
"We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine."
It's serious sounding stuff, and on macOS and FreeBSD, the researchers found that their dodgy network card could start arbitrary programmes as the system admin. On Linux, they were able to get access to sensitive kernel data structures and completely bypass the enabled IOMMU by setting a few option fields in the messages the malicious network card sent.
"Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines," said Markettos.
That's worrying, especially when having a Thunderbolt-enabled USB-C port is seen as a big plus on devices such as ultraportable laptops.
But Markettos said the researchers had been working with vendors to get mitigations in the works since 2016, so don't go hurling your MacBook Pro out of the window as Apple has already squashed the flaw in its Mac machines.
It's also worth noting that a hacker would need direct access to a device to carry out such an attack.
This makes exploiting Thunderclap more of a challenge in the real world, but as ever do keep an eye out of suspicious people lurking around your computer especially if they happen to be lugging an external GPU around. µ
Now you can watch documentaries about horribly disfigured people whenever you like
Brad to the bone
Being in a minority of one doesn't make you right
WeWork needs a rework