The main road Thunderclap works because of how Thunderbolt peripherals and accessories are considered reliable components on a computer, complete with direct memory access, which can bypass the operating system security policy, according to security researcher Theo Markettos. Thunderbolt offers devices "more privilege than regular USB devices", giving them more freedom and access to potentially sensitive information.
Conveniently, all hardware is affected by a form of Thunderbolt connection, including those with USB Type-C ports and those with older Mini DisplayPort connections. For Apple, a dedicated Thunderclap site "shows all 201
Existing defenses of malicious devices that exploit DMA were considered "very weak". A primary defense, the Input-Output Memory Management Unit (IOMMU), can theoretically force devices to only access memory required for a task and block everything else, but not all operating systems use it.
It was found macOS is the only operating system that uses IOMMU out of the box. Windows 7 to 10 Home and Pro do not support IOMMU, Windows 10 Enterprise has support but in a "very limited way" that does not provide adequate protection, and while Linux and FreeBSD support IOMMU, it is not enabled by default in most deployments.
It was also discovered that there are still several vulnerabilities, even though IOMMU is enabled. By building a fake network card that works on the operating system in the same way as a real version, the team found that it was able to read traffic from networks that it would not normally have access to and on MacOS and FreeBSD had the ability to start arbitrary programs as system administrator.
The researchers working on the Thunderclap project include Theo Markettos, Colin Rothwell, Brett Gutstein, Allison Pearce, Peter Neumann, Simon Moore, and Robert Watson. The team has already worked with suppliers since 2016, with many issuing updates and repairs to work around many of the vulnerabilities the researchers have discovered.
In the case of Apple, macOS identified a vulnerability that allowed administrator access in an update to version 10.12.4 in 2016, but it is believed that "the more general scope of such attacks remains relevant."
Such attacks will not likely affect most MacOS users, as they would require physical access to a Thunderbolt Mac, and a malicious peripheral that does not yet exist. In short, being abnormally careless with safety is the only time anyone is likely to be affected by this type of attack, if they are in an important position in a business or any sense of government.
AppleInsider's general advice is to avoid connecting random and insecure external devices of any kind to a computer, such as "lost" USB drives of unknown origin, and to maintain physical and software security for managing systems.