Hardware / Chip-level Security
Windows, MacOS and Linux operating systems protect not memory adequately, which allows a fake network card to sniff bank information, encryption keys, and private files, according to new research.
See also: Live Webinar | State Adaptation Authentication in the Financial Industry
The weaknesses, collectively called Thunderclap, mark a new class of threats posed by malicious external entities. The research has been in the works since 2016, and Apple is one of several vendors who have released software updates as a result.
The work focused on the Thunderbolt 3 data transfer standard over USB Type-C connectors. While operating systems should only allow a peripheral to have direct memory access for the resources it needs, researchers found that this defense is not implemented effectively to prevent data theft. The research also covered PCI Express, or PCIe, an older set of device connections and data transfer protocols.
Stealing data in this way requires physical access to a device. "The combination of power, video and DMA devices over Thunderbolt 3 ports facilitates the creation of maliciously functioning charging stations or monitors, but at the same time takes control of connected machines," the researchers wrote in a blog post.
University of Cambridge Research Paper Rice University and SRI International were presented on Tuesday at the Network and Distributed Systems Security Symposium in San Diego, co-author of A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, and Robert NM Watson
Memory Print Down
Unlike regular USB ports, USB-C ports have higher privileges and low-level access to a device, to protect against malicious access, the Input Output Memory Management Unit or IOMMU acts as a gatekeeper for access to memory.
But scientists found that most systems do not use IOMMU out of the box except for MacOS, Linus and FreeBSD support it, m one is not enabled by default. Home and Pro versions of Windows 7, 8 and 10 do not support it. The company version of Windows 10 "may use it, but in a very limited way that leaves most of the system unattended," they write.
"This situation is not good, and our investigations showed significant additional vulnerabilities, even when IOMMU is activated," the researchers said.
The testing involved creating a fake network card that interacted with the operating systems the same way as a real one. The researchers downloaded a software model of an Intel E1000 network card from the QEMU open source system emulator and ran it on a field programmable gate array.
So, the researchers observed what the fake network card could see, interfering with interest rate data over a VPN and traffic from Unix domain sticks.
On MacOS and FreeBSD, it was possible to launch arbitrary programs as a system administrator. On MacOS, the fake card can read keystrokes coming from a USB keyboard. On Linux, it had access to sensitive core data structures, the researchers write. "Worst of all, on Linux, we could completely bypass the enabled IOMMU by inserting a few selection fields into the messages our malicious network cards sent."
Fixes in the Pipeline
The research has been around since 2016, and suppliers have issued limitations. But scientists warn that the newly discovered risk represents a new place of vulnerabilities, and others may be fooled.
"We believe that all operating systems are vulnerable to similar attacks, and that major changes in design will be needed to address these issues," the researchers said. "We noticed similarities between the security surface available to malicious external devices over IOMMU protection and the core system call interface, long a source of operating system vulnerabilities."
In 2016, Apple established a vulnerability exploited by scientists to gain administrator access in MacOS version 10.12.4.
Improvements for Windows have also been made. For laptops supplied with Windows 10 version 1083, IOMMU is enabled in a feature called Kernel DMA Protection for Thunderbolt 3, researching the note. But the protection does not extend to PCIe. Older Windows computers delivered before version 10833 remain vulnerable.
Intel has also developed Linux patches to turn on IOMMU for Thunderbolt devices, which will be packed into the upcoming 5.0 Linux kernel.
But until there is a more unified implementation across IOMMU's operating systems, scientist advice is known: "We recommend users to update their systems and be careful about attaching unknown USB-C devices to their machines – especially those which is in public places. "