Windows, Mac, Linux and FreeBSD systems are all affected by a new security issue that was revealed this week at the NDSS 201
The vulnerability – the Thunderclap name – affects the way Thunderbolt-based peripherals are Allow to connect and interact with these operating systems, so a malicious device can steal data directly from the operating system's memory, including highly sensitive information.
The research team behind this vulnerability says that "all Apple notebooks and laptops since 2011 are vulnerable, except for the 12-inch MacBook."
Likewise, "many laptops and some desktops are also designed to Run Windows or Linux produced since 2016, "as long as they support Thunderbolt interfacing.  What is Thunderbolt?
Thunderbolt is the name of a hardware interface designed by Apple and Intel to allow the connection of external peripherals (keyboards, chargers, video projectors, network adapters, etc.) to a computer.
These interfaces became very popular because they combined different technologies into a single cable, such as the ability to transmit direct current (for charging), serial data (via PCI Express), and video output (via DisplayPort).
The technology was initially available to Apple devices, but was later made available to all hardware vendors and becoming ubiquitous today, especially thanks to the latest version of the standard, Thunderbolt 3.
However, according to the Research Group, all Thunderbolt versions are influenced by Thunderclap. This means Thunderbolt 1 and 2 (the interface versions that use a Mini DisplayPort [MDP] connector) and Thunderbolt 3 (the one that works via USB-C ports).
What is Thunderclap?
Thunderclap is a collection of errors in the way Thunderbolt hardware interface is implemented on operating systems.
At the heart of this vulnerability, scientists say they exploit an OS design problem where the operating system automatically trusts all newly connected peripherals and provides access to it to all its memory – a state called direct memory access (DMA).
Thunderstorm tabs allow attackers to create malicious but fully functioning remote devices that, when connected via a Thunderbolt-compatible port, can perform their normal operation, but also run malicious code in the operating system background without any restrictions from the operation .
This makes the Thunderclap attack very dangerous, as it can easily be hidden inside any periphery.
Thunderclap vulnerabilities can even bypass an OS security feature known as Input Output Memory Management Units (IOMMU) created by hardware and OS decision makers at the beginning of the 2000s to counteract malicious external devices that abuse access to the entire OS memory (in what is called a DMA attack).
The reason why Thunderclap vulnerabilities work against IOMMU is either because the operating systems disable this feature by default, or in case the feature is enabled by the user, the operating system leaves user data in the same memory location where the malicious peripheral runs its exploit code, which makes IOMMU useless.
What happens to it?
Researchers from the University of Cambridge, Rice University and SRI International discovered the Thunderclap issues back in 2016, and have been working on hardware and OS versions for three years in complete silence to get them fixed.
Despite nearly three years of notice, OS rs have been slow to respond, with most Thunderclap attack variations described in a research archive published today still working. Here's the current state of patches, according to researchers:
Windows – "Microsoft has enabled IOMMU support for Thunderbolt devices in Windows 10 version 1803, which was delivered in 2018. Earlier hardware upgraded to 1803 requires a firmware update from the vendor. This brings them in line with the baseline of our work, but the more complex security issues we describe are still relevant. "
macOS -" In MacOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to obtain a root shell. But the overall scope of our work still applies, especially that Thunderbolt devices have access to all network traffic and sometimes keystrokes and framebuffer data. "
Linux -" Recently, Intel has contributed updates to version 5.0 of the Linux kernel (card to be released) that activates IOMMU for Thunderbolt and prevents security bypass vulnerability using the PCI Express's ATS feature. " FreeBSD – "FreeBSD Project indicated that malicious external devices are not within their security response model. However, FreeBSD does not currently support Thunderbolt hotplugging. "
As the table below shows, most Thunderclap errors are still unpatched.
Meanwhile, users are advised to disable Thunderbolt ports via BIOS / UEFI firmware settings and to avoid connecting external devices from unsafe sources.
Technical details of the Thunderclap errors are available in a research paper entitled "Thunderclap: Exploring Vulnerabilities in the IOMMU Protection Operating System via DMA from Unsecured Valuable Peripherals," available for download in PDF format from here and here, with more details here.
The research group also launched the Thunderclap platform on the GitHub, which is a collection of ready-made concept code for creating harmful Thunderclap peripherals.
Additional details are also available on a dedicated website and in this blog post.
As a final note, Thunderclap vulnerabilities can also be exploited by compromised PCI Express (PCIe) peripherals, such as plug-in cards or wells soldered to the motherboard, but these attacks require the peripheral firmware to compromise ck much more difficult to pull than just connecting a charger or video projector via a Thunderbolt interface.
Related news coverage for cyber security: