Researchers have detailed a cyber security vulnerability via the Thunderbolt interface with USB-C Ports. Attacks by this method can give hackers access to data that researchers said “should never leave the machine.” However, Apple devices were better than others at protecting against the vulnerability.
USB-C Ports, through which the Thunderbolt interface connects with a computer, “offer very privileged, low-level, direct memory access (DMA),” the researchers explained. This means that peripherals connected by Thunderbolt have much more privilege than a standard USB device. The researchers found the operating systems, had “very weak” defences against “malicious DMA-enabled peripheral devices.” The Thunderbolt device could access all network traffic, as well on occasion being able to access keystrokes and framebuffer data.
MacOS has Input-Output Memory Management Unit Out the Box
The best defence against attacks via this method is an Input-Output Memory Management Unit (IOMMU). In theory, this component will only give devices access to the the memory they need to complete their task. The problem was the operating systems investigated did not “use the IOMMU effectively”.
MacOS is the only OS we studied that uses the IOMMU out of the box,” the researchers said. Meanwhile Windows 7, Windows 8, and Windows 10 Home and Pro had not support for the IOMMU at all.
In a further investigation using a fake network card to access an operating system, the researchers were able “to start arbitrary programs as the system administrator” on macOS. They added that while Apple had fixed the specific vulnerability that they found with macOS 10.12.4 in 2016 “the more general scope of such attacks remain relevant”. The researchers concluded that “such attacks are very plausible in practice.”
The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines.
The researchers called the vulnerability Thunderclap. They said they had been working with laptop vendors since 2016 and that they had shipped some mitigations. However, the researchers repeated their calls for the vendors to improve operating system security. They added the usual advice that people should not attach unfamiliar USB-C devices to their laptops.