Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thunderbolt Vulnerabilities Leave Computers Wide-Open, Researchers Find (itnews.com.au)

Posted by BeauHD on from the open-for-the-taking dept.

Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."

"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."

90 comments

  1. Good replacement for Firewire then by omnichad · · Score: 4, Insightful

    Considering this is Apple's choice of replacement for Firewire, this is not any worse of a tradeoff. Firewire already had DMA. Between this and Spectre/Meltdown, Trusted Computing (as anything other than DRM) is becoming more and more impossible.

    1. Re:Good replacement for Firewire then by Anonymous Coward · · Score: 0

      Note also from TFA:

      Apple's macOS uses the IOMMU, but even with the hardware defence enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it.

      The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard.

      Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant.

      Reading that literally, Apple patched a vulnerability discovered in 2018/9 in 2016?! What are they trying to say here?

    2. Re: Good replacement for Firewire then by Anonymous Coward · · Score: 0

      They needed to publish something, is what

    3. Re:Good replacement for Firewire then by Dog-Cow · · Score: 1

      I think it's macOS 10.12.4 that was released in 2016.

    4. Re:Good replacement for Firewire then by Anonymous Coward · · Score: 0

      You did know that...
      - The US and Israel (Intel.com) Govts insisted and obtained TOP SECRET IMPLANTS into the respective chips and designs, PRECISELY so agents could simply PLUG IN a stick and root the box regardless of IOMMU or not.
      - That the US NSA and CIA yet AGAIN won access by their PKI Certs secretly embedded and hidden in the BIOS Firmware Microcode PKI Certificate package that controls what devices are authorized to plug in and connect to the USB-C chip for data transfer at all. This is done under the LIARS guise of "licensing" , "quality assurance and compatibility safety certification program" and "security", but all it really is is giant fucking backdoor, even if you "delete" all the certs or try to install your own, theirs are STILL FUCKING THERE and in full effect.

      The ONLY way you will EVER solve these embedded special access programs and have true verifiable open security is to fund and startup your own private yet fully opensource open chip fabrication facilities, that build fully opensource chips, that run fully opensource software.

    5. Re: Good replacement for Firewire then by Anonymous Coward · · Score: 0

      Take your medicine BEFORE reading stuff and posting a response on anything on the internet. We've been over this before Tom.

      Any CPU can be deconstructed and analyzed for "implanted"/embedded devices. All it would take is one device people suspected of being "backdoored" and for people to analyze it to create proof. The agencies are spying on everyone, so there should be at least a couple hundred thousand devices in use in the wild for people to be able to find.

      So far, nobody has found anything. And there's a reason for it, they aren't there. They don't need to be there. It is easier, safer, and far more secure to do that data collection via other, non invasive means.
         

    6. Re:Good replacement for Firewire then by tsqr · · Score: 1

      Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant.

      Reading that literally, Apple patched a vulnerability discovered in 2018/9 in 2016?! What are they trying to say here?

      I believe they're trying to say something along the lines of, "macOS 10.12.4, that was released in 2016, has been patched by Apple." Unfortunately, they're not very good at constructing sentences.

  2. Just watch out for thunderchris! by Anonymous Coward · · Score: 0

    Just watch out for thunderchris! He is currently breaking any attention scores related to posting on Slashdot lately!

    -whipslash

  3. off by default by redback · · Score: 1

    The default configuration of Thinkpads running win10 requires you to give the device permission (admin rights required) before it will connect. You can do an always allow for devices, or turn security off in the bios.

  4. Great example on why not to buy proprietary crap by Anonymous Coward · · Score: 0

    It's not the devices that are the problem here, but the shitty proprietary software that runs on them. I avoid hardware where the source codes not available. It's not exactly possible 100% of the time, but there are clearly devices that are better than others. Some printers don't depend on proprietary firmwares to be loaded for instance and the sources for the drivers (at least on GNU/Linux systems) are released. There are wifi adapters with a complete set of source code both running on them and to connect (ie the driver, again, at least on GNU/Linux). A lot of this is true for a great deal of devices. While I'm hardly saying this is a perfect solution, it's far more of a concern if the software you otherwise run on the system is also mostly free software. And it's not even really that hard to find. Just about everything you can imagine is reasonably readily available from companies like ThinkPenguin. Something like 70% of the catalog is even up for RYF certification and everything else is probably as close to free as is possible within a given context (ie printers not being dependent on OS-loaded blobs or proprietary drivers for instance, even if there is still proprietary firmware on the printers themselves).

  5. Re:Comfortable with that tradeoff by Anonymous Coward · · Score: 0

    You should be cautious what you place in your anus port. You could be pooped.

  6. I think I've got it by mattyj · · Score: 3, Funny

    So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it? Sage advice, this.

    1. Re:I think I've got it by Jeremi · · Score: 4, Funny

      So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it?

      By the time you're back from the bathroom, the weird Thunderbolt thing has already copied out your private information and been removed again. Its owner is now in line to buy a Frappucino, to be paid for from your bank account :)

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    2. Re:I think I've got it by Anonymous Coward · · Score: 0

      Exactly this.

    3. Re:I think I've got it by coofercat · · Score: 2

      I was in a coffee shop (not starbucks though, because they don't sell coffee) a couple of weeks back and a lady asked if I could watch her stuff while she went to the toilet. I suggested that she lock the screen before she went.

      Granted, I'm trustworthy, and I live in a generally low crime sort of area, so the risk is pretty low. However, if you can't even get people to lock the screen, then stuff like this is just lightyears away.

    4. Re: I think I've got it by Anonymous Coward · · Score: 0

      This is a pet peeve of mine. Not only does this put a big responsibility on my shoulders, but what makes a stranger think I am anymore trustworthy than say the gangsgter hanging out on the corner?

      That's why I tell them "Take that with you, I can't be responsible for your stuff."

      Some people are so brain dead , ot's not funny.

    5. Re: I think I've got it by Anonymous Coward · · Score: 0

      Some people are so brain dead , ot's (sic) not funny.

      And others are selfish assholes, like you...

  7. What happens on your mac by Anonymous Coward · · Score: 0

    doesn't necessarily stay on you mac.

    Good one apple.

  8. Re:Comfortable with that tradeoff by Anonymous Coward · · Score: 0

    I've said it before in the story on potential USB attack vectors, but I am OK with a very highly performing bus being more susceptible to attacks like these so long as it was Apple pioneering it.

    FTFY

  9. A direct path in? by AHuxley · · Score: 2

    Fast path into a computer to get data in and out.
    Who would have thought?
    Would have more security slowed the data rate down?

    --
    Domestic spying is now "Benign Information Gathering"
  10. Right idea, wrong conclusion by SuperKendall · · Score: 1

    It's not the devices that are the problem here, but the shitty proprietary software that runs on them.

    You have that exactly backwards.

    With this level of direct system access, even the most bullet proof of open source code is not going to ever fully protect you.

    But you are right to say "don't buy proprietary CRAP", emphasis on crap - as in, do not buy cheap devices to plug into your expensive hardware. That is a perfect philosophy for all things electronic - don't buy the cheapest chargers, cables, USB hubs, drives, SD cards and so on, and you can avoid a lot of potential grief. Save up a little and buy something quality - or as quality as external computer devices can get anyway.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Right idea, wrong conclusion by Aighearach · · Score: 2

      Probably over 85% of devices are the cheapest device, but in a nicer case. If you don't know enough to choose the good parts, you're screwed; paying more doesn't help, that just nonsense. Often the peak of quality in on a mid-range item.

    2. Re:Right idea, wrong conclusion by bill_mcgonigle · · Score: 1


      buy something quality

      It was people who bough Cisco routers who got NSA implants, not people buying Netgear.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  11. Non-Issue with latest software by nateman1352 · · Score: 4, Informative

    For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/status/985618204184768513 In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/edk2/tree/master/IntelSiliconPkg/Feature/VTd. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.

    1. Re:Non-Issue with latest software by WaffleMonster · · Score: 1

      For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/s... In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/e.... So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.

      The problem myself and others face with allowing VTd virtualization is that for some this will be the only lever available for stopping Intel AMT from being accessed externally.

      When enabled and your computer is off it's still listening on TCP ports. When stealth mode firewall is on with all incoming ports blocked the port is still open. Virtualization is the only thing that physically allows the network hardware (wired and wireless) to be shared concurrently with both the host and management engine.

    2. Re:Non-Issue with latest software by nateman1352 · · Score: 2

      AMT doesn't need VTd turned on to access the network, so keeping VTd off for that reason does absolutely nothing. AMT has its own dedicated side band access to the network hardware. AMT only works with Intel networking gear (NIC/Wi-Fi) so the AMT firmware has all the drivers for the NIC built in. Actually, VTd HELPS mitigate AMT concerns because with it turned on AMT is unable to execute arbitrary DMA reads/writes to system RAM, VTd limits AMT's DMA to only the ranges of RAM that the OS allows.

      By the way... there is a much better way to "stop Intel AMT"... just don't buy a system that is "VPro" branded. If the system doesn't have VPro then AMT isn't even present... it gets permanently fused off at the Intel factory. Intel has a special sticker for VPro, so labeling of systems is very clear: https://www.laptopmag.com/articles/intel-vpro-faq

    3. Re:Non-Issue with latest software by mathew7 · · Score: 1

      Actually, VTd HELPS mitigate AMT concerns because with it turned on AMT is unable to execute arbitrary DMA reads/writes to system RAM, VTd limits AMT's DMA to only the ranges of RAM that the OS allows.

      I doubt IOMMU can stop AMT. I'm pretty sure they tap directly to the memory controller, bypassing IOMMU. After all, isn't the ME (backend for AMT) scandal related to inabillity to block it with the OS?

    4. Re:Non-Issue with latest software by Anonymous Coward · · Score: 0

      The linked article doesn't touch on it at all, since it's mostly crap and written by someone trying to get clicks rather then get information out.... but... this attack bypasses IOMMU. Although, bypasses is a strong word. In the cases where IOMMU is enabled, researchers found that the OSes allowed the peripheral code to run right next to user data, and the malicious device could easily steal the data without having to bother to bypass IOMMU.

    5. Re:Non-Issue with latest software by WaffleMonster · · Score: 1

      AMT doesn't need VTd turned on to access the network, so keeping VTd off for that reason does absolutely nothing. AMT has its own dedicated side band access to the network hardware.

      This simply isn't true. Without VTd the NICs can't be used by both AMT and the host system concurrently. My commentary was based on first hand real world observation of what actually occurs:

      When VTd is enabled there is a an active IP stack responding to pings and incoming TCP requests when the computer is turned completely off.

      When VTd is enabled and all ports are firewalled in the operating system you can still establish incoming TCP connections to ports that not only bypass the firewall but are completely unknown to the host operating system.

      When VTd is disabled both of these things cease.

      Actually, VTd HELPS mitigate AMT concerns because with it turned on AMT is unable to execute arbitrary DMA reads/writes to system RAM, VTd limits AMT's DMA to only the ranges of RAM that the OS allows.

      The opposite is true.

      I don't care about conspiracy theories involving AMT doing shady shit all by itself. I care about AMT being remotely commanded by someone exploiting a vuln or who is able to obtain a properly signed cert and has the ability to broadcast DHCP. You can't send commands to things that are unable to receive them.

      By the way... there is a much better way to "stop Intel AMT"... just don't buy a system that is "VPro" branded. If the system doesn't have VPro then AMT isn't even present... it gets permanently fused off at the Intel factory. Intel has a special sticker for VPro, so labeling of systems is very clear:

      Certainly good advice yet generally useless as it applies only when buying new systems. Keeping VTd disabled where AMT is unable to be "disabled" is applicable to a much wider audience.

  12. Re:Comfortable with that tradeoff by omnichad · · Score: 1

    USB-C hubs don't pass Thunderbolt signalling. So a cheap USB-C hub would actually protect you from a Thunderbolt device disguised as USB-C.

  13. "Protect" you by SuperKendall · · Score: 2

    USB-C hubs don't pass Thunderbolt signalling. So a cheap USB-C hub would actually protect you from a Thunderbolt device disguised as USB-C.

    You are assuming the hub itself is not really thunderbolt in disguise meant to spy on you - obviously it's not going to pass thunderbolt stuff around, with it's primary mission accomplished. That is primarily what I was warning about.

    How would anyone know? It's all the same connector (or it can be anyway), and some hubs come with bundled unpluggable cables to attach to your computer.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:"Protect" you by omnichad · · Score: 1

      They said cheap. Currently, I don't think you'd find a cheap Thunderbolt anything.

    2. Re:"Protect" you by Anonymous Coward · · Score: 0

      So ANOTHER reason not to buy a computer with a USB-C/Thunderbolt port then!

    3. Re:"Protect" you by Anonymous Coward · · Score: 0

      Cheap USB-C hubs aren't even using USB 3.0.

      It's probably fine even, just use USB-A for your USB 3.0 needs and USB-C for USB 2.0 (which is what most smartphones are doing) that way you won't be burned out by "wrong" USB-C cables!

  14. You know what they say... by Hallux-F-Sinister · · Score: 5, Funny

    If you are close enough to hear the Thunderbolt Port, then you are close enough to get struck by a lightning cable.

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
  15. does this also happen with lightning cables. by Anonymous Coward · · Score: 1

    Thunderbolt and lightning,
    Very, very frightening me.

    1. Re:does this also happen with lightning cables. by Anonymous Coward · · Score: 0

      Thunderbolt and lightning,
      Very, very frightening me.

      Galileo!

  16. "uses" the IOMMU by drinkypoo · · Score: 1

    "Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it,"

    Clearly they're either not using the IOMMU very well, their network stack is garbage, or both. So uh... which is it?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:"uses" the IOMMU by UnknowingFool · · Score: 2

      The last line says: "Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant." So they are complaining about a bug that was patched more than 2 years ago

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  17. Vulnerability doesn't exist on Macs since 2016 by Anonymous Coward · · Score: 1

    nt

  18. Sigh by SuperKendall · · Score: 1

    They said cheap. Currently, I don't think you'd find a cheap Thunderbolt anything.

    Do I seriously have to spell this out on Slashdot of all places? The whole POINT would be that people thought they were buying a non-thunderbolt device, it might actually cost $1 million to make or whatever by secretly including Thunderbolt and advanced spying hardware and cellular hardware (to transmit what it found), but you don't care because what you are seeking to obtain is more valuable.

    Since I'm having to lay out every minute detail of such a potential plot, imagine an Amazon seller of USB-C hubs where most of them are indeed just cheap $10 hubs. But if any address you are to ship to matches a database Russia or China has provided you, the "special" model is shipped...

    Starting to get the picture here? Don't buy cheap hardware, at least not if you care about your data security (or maybe even don't want your devices fried by bad power regulation which is less espionage than simple cheap hardware).

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Sigh by omnichad · · Score: 2

      But if any address you are to ship to matches a database Russia or China has provided you, the "special" model is shipped...

      So now Amazon is a Russian operative?

  19. Slowed it and used a lot more CPU. *IS* the comput by raymorris · · Score: 2

    Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.

    These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.

    If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.

    We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.

  20. Which replaces PCI. Network card for untrusted by raymorris · · Score: 5, Insightful

    That's true. These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.

    If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.

    We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.

    1. Re:Which replaces PCI. Network card for untrusted by Anonymous Coward · · Score: 4, Insightful

      The problem isn't when I plug something into my machine, but when some passerby or government agency plugs something into my machine. The whole issue is that this port is like a hooker on the corner on a Saturday night. Something plugged into a port on a computer should get access to exactly what I let it have access to with my root account, not automatically have access to everything stored in memory or transferred between memory, HDD or other parts of that same computer. Unless of course, the root account has allowed such access.

    2. Re:Which replaces PCI. Network card for untrusted by AmiMoJo · · Score: 2

      No, the problem is plug-and-play. If the OS didn't install a driver and immediately allow the device to operate as soon as it was plugged in, we wouldn't have this problem. Same with USB but to a less severe extent.

      You can actually do that on Windows. I don't know about MacOS.

      https://docs.microsoft.com/en-...

      Another thing that really helps is encrypted RAM. It makes DMA attacks far less effective.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Which replaces PCI. Network card for untrusted by Anonymous Coward · · Score: 0

      With both FireWire and Thunderbolt there is no driver needed for the attacks.

      These ports both are an extension of PCI/PCIe and as such will allows direct memory access (DMA) by the device, it can simple say "read a block of data from physical memory address ...", or write or even lock the memory bus temporarily for use with synchronization primitives.

      You actually need a device driver for the higher quality Firewire/Thunderbolt devices which has an IOMMU. These IOMMU, like the MMU in the CPU map physical to virtual addresses, which means devices on the Firewire/Thunderbolt bus see virtual memory that they can't escape.

    4. Re:Which replaces PCI. Network card for untrusted by AmiMoJo · · Score: 3, Informative

      When connected the Thunderbolt device needs to negotiate the link and and request resources. By default it can't just DMA the entire memory space. The host has to read configuration parameters and configure the IOMMU to allow it.

      Part of the problem is that the OS does a lot of that automatically, even if there is no driver available. For example when you connect a USB device the OS reads descriptors (metadata) from it, which means that there is a potential attack on the parser for that data. Thunderbolt is no different.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Which replaces PCI. Network card for untrusted by thegarbz · · Score: 1

      No, the problem is plug-and-play. If the OS didn't install a driver and immediately allow the device to operate as soon as it was plugged in, we wouldn't have this problem.

      Not true. There's a myriad of devices in your computer attached to various devices that are completely OS independent and create a security risk. Do you have a driver for your RAM stick?

    6. Re:Which replaces PCI. Network card for untrusted by epine · · Score: 1

      You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.

      Jane Random servicewoman who comes into your house would have trouble opening your case, installing a device, and rebooting your computer all in the time it takes you to hit the head to squeeze a drop.

      An actual case might even be locked and alarmed, too.

      Personally, if I was wearing a protective cup, I'd hang my balls on the inside. But perhaps that's just me.

    7. Re:Which replaces PCI. Network card for untrusted by AC-x · · Score: 1

      We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.

      Or we could just have our OS tell us what the device is presenting as and prompt to enable DMA, obviously actual malicious peripherals would still be a vector but it somewhat blocks evil maid attacks (if you locked your computer) and hacked USB thumb drives.

    8. Re:Which replaces PCI. Network card for untrusted by Anonymous Coward · · Score: 0

      This doesn't work. You've created a distinction inside your head that no one else shares.

      What have we done, meaning the world of IT collectively, to make this distinction? Do we put labels on unsecure ports to identify them? Do we put labels on secure ports? Condoms? Banana peels? Anything??

      No. Nor do we train people to make any distinction between "secure" and "unsecure" ports. At most, we train people not to plug in unknown USB sticks, and we already know that something like 50% of people do that anyway.

      Also, I'd like to ask if mice are secure devices. And keyboards. And monitors and speakers and headphones and USB fans and UPSes. And everything else we plug into our computers. And for a little retro nostalgia, DVDs, not a "plug-in" device properly speaking, but still something from outside introduced into our allegedly secure computers.

      Does everything have to be trusted? Is nothing trusted?

    9. Re:Which replaces PCI. Network card for untrusted by thegarbz · · Score: 1

      The problem isn't when I plug something into my machine, but when some passerby or government agency plugs something into my machine.

      If this is a concern for you then install system services that disable port access. There are plenty out there, even my motherboard came with one.

      The whole issue is that this port is like a hooker on the corner on a Saturday night.

      Yes but the risk of a hooker doesn't mean we should give up on awesome sex. If you want physical security, use physical security.

    10. Re:Which replaces PCI. Network card for untrusted by Anonymous Coward · · Score: 0

      The problem isn't Plug and Play, you need to alter your thinking.

      How do I know this? Imagine an OS without Plug and Play. Does this correct the security exposure? Nope!

      The user needs an absolute No/No Go indicator, and simply telling them never to plug anything in to their computer doesn't cut it. That just drives users into one of two bad outcomes:

      1). The user thinks of themselves as helpless idiots with no agency. Now they take no responsibility for anything and productivity goes in the tank, or;

      2). The user begins circumventing the rules and subverting security instructions.

      No, what users need is a clear indication that this specific device is unsafe, or alternately that it is safe. That gives them a concrete basis to either:

      1). Stop what they are doing, discard the device/media and maybe call IT security, or;

      2). Continue installing the device/media, regardless of any existing Plug and Play support.

  21. don't stick your penis in the USB port by Anonymous Coward · · Score: 0

    or you will get thunderclap.

  22. whoa guys by Anonymous Coward · · Score: 0

    Omg guyyys I invented this super clever new connector and wrote my own drivers from scratch, everyone should use it exclusively and get rid of USB which is BOORINNNG and OOOLD. No, don't worry, nobody writes viruses for it, it's too exclusive. Also, the cable is just copper wire but costs $50 for some reason.

  23. Why does Thunderbolt exist? by MSTCrow5429 · · Score: 1

    Not using Mac, I might be missing something, but why would someone use Thunderbolt instead of USB 3.x?

    --
    Slashdot: Playing Favorites Since 1997
    1. Re:Why does Thunderbolt exist? by Anonymous Coward · · Score: 0

      Bandwidth. The new mac mini claims to have 40 Gbps on thunderbolt and only 10 Gbps when using USB 3.1. This will make a difference if you use something like an external GPU or high end SSD.

    2. Re:Why does Thunderbolt exist? by Anonymous Coward · · Score: 0

      If you are a video guy, Thunderbolt gets you very high bandwidth. If you are an audio guy, Thunderbolt gets you very low latency and/or many audio channels. Any high end audio or video applications that traditionally required a PCIe card can now be done over a Thunderbolt cable.

    3. Re:Why does Thunderbolt exist? by Anonymous Coward · · Score: 0

      You don't. You use it instead of Firewire.

      And for the same reasons you'd have used Firewire instead of USB 2 even though USB 2 "supported" 480mbps vs Firewire's 400mbps.

    4. Re:Why does Thunderbolt exist? by Megol · · Score: 1

      It's PCIe plus USB plus video via one cable. Plug in a Thunderbolt to PCIe adapter into your laptop and insert whatever card you want into that adapter.
      Plus it's much faster and lower latency than USB.

    5. Re:Why does Thunderbolt exist? by Anonymous Coward · · Score: 0

      The single biggest use for it is the Apple Gb NIC for Mac Book Pro. Especially the ones just before USB-C Mac Book Pro, as it's a Thunderbolt 2 device and you need a Thunderbolt 3 to Thunderbolt 2 adapter to use it afterwards. It's only $29.99 so it shows a Thunderbolt peripheral can be theoretically affordable, but it must have been produced in huge numbers and Apple sets the price it wants to set
      I think they may have priced it at $89 if they wanted, but people would have bought no-brand USB 2.0 10/100 adapters instead and there would have been some minor bad press for Apple.

    6. Re:Why does Thunderbolt exist? by Junta · · Score: 1

      Note that thunderbolt is a common feature of non-Apple PCs as well.

      One facet is that it supports 4x PCIe, so it can provide a much better performing connection than usb-c by itself.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  24. An *unchecked* direct path in by Anonymous Coward · · Score: 1

    Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.

    Actually, no. You don't strictly need to abandon DMA (for PIO) to fix this.

    The thing is that these DMA transfers give full access to the computer's memory to whatever is on the other side of that cable. This is not strictly necessary. Add a (hardware) fence, so set aside a range where DMA can happen and keep everything else out of it, and you can have both "more security" and all that juicy speed.

    Same with firewire. The solution then was the same, too. If the controller can't do it on its own (firewire could) you can do it with IOMMU, either way will work.

  25. You forgot dopant-level hardware trojans by Anonymous Coward · · Score: 0

    Yep, that's a thing now too.

    But I guess in practice, much simpler solutions than all of this will suffice.
    I mean a bit of social engineering and a usb stick with an executable on it while the owner was made to leave the room usually cover it.

  26. Re:Slowed it and used a lot more CPU. *IS* the com by grep+-v+'.*'+* · · Score: 1

    Ummm, WHAAAT?!? Deja vu? Did anyone else notice that same black cat walking past the doorway?

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  27. I agree, but ... OpenSSL ... underhanded C by Anonymous Coward · · Score: 0

    I agree that ONLY open source can ever even attempt to qualify for trustworthiness

    But it is not a silver bullet.
    Open does not mean read.
    Read does not mean understood.
    Understood does not mean not misunderstood.

    If OpenSSL having been undermined for years previously, and the existence of such a thing as the underhanded C contest has taught us anything, then that.

  28. Re:YOU'RE A FUCKING MORON KENDALL by Anonymous Coward · · Score: 0

    YOU KNOW JACK ABOUT SECURITY.

    WOW... He knows "Jack About Security" ? Niiiice.. thats like... one of the best security firms ever...

    what if a USB hub was used alongside USB to USB-C adapters? A regular ol' USB hub should not be able to pass Thunderbolt signalling right?

  29. Re:Slowed it and used a lot more CPU. *IS* the com by Anonymous Coward · · Score: 0

    We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.

    Sigh. The VGA has two-way communication, so the screen can inform that it is "1920x1080 120dpi 60Hz." From this, an evil screen can launch a buffer overflow against the graphichs card - and the graphichs card is well enough connected to take over the machine. The card sits on the pcie bus and can load "textures", which may include the memory containing your credentials.

    Printers are also two-way devices, with all sorts of hacking options.

    And if you leave a machine with an exposed keyboard port: My "attack keyboard" can bruteforce passwords, or type in the URL to an exploit site, or type in the exploit software itself, or type any reset code and then flash a very alternative bios. So it doesn't matter that older USB cannot address the memory buses directly. Anything doable by controlling the keyboard, is doable through USB. Passwords? A smart attack keyboard waits till the password is entered, and attacks after the machine is unlocked.

    Also, an exploit-device may use several plugs. I.e. the keyboard initiates a reboot, and selects boot from external disk. And of course the device is also an external disk. USB makes it easier, as a single device can be both keyboard, mouse, bootable disk and network adapter. But if we didn't have this level of flexibility, the exploit device would simply come with several plugs. Put them all in, and press the takeover button . . .

  30. Use boltd by zdzichu · · Score: 4, Interesting

    On Linux we have a solution – using Thunderbolt security levels to authorize external devices:
    https://christian.kellner.me/2...

    This goes as far as blocking new devices connected while the screen is locked, so noone will connect spy device and exfiliate your data while you are away from your computer.

    --
    :wq
    1. Re:Use boltd by Anonymous Coward · · Score: 0

      On windows it is the same thing. I use intel software with my TB dock and it is setup not to authorize any devices that are plugged into the TB by default. So nothing you plugin would work unless explicitly authorized. I think this whole article is just a clickbait.

  31. Re:Slowed it and used a lot more CPU. *IS* the com by AmiMoJo · · Score: 1

    That isn't really the case for any modern systems which use an IOMMU. By default the new device is firewalled off completely, and normally won't be given complete access to the entirety of RAM or anything like that.

    The problem is that if you connect something like a GPU the OS helpfully auto-configures it and mirrors the screen onto it, including copying all the hidden bitmaps composited behind the lock screen into its RAM. It automatically mounts the Thunderbolt hard drive and starts reading and parsing the filesystem. Perhaps the attacker knows of an exploit in the Intel NIC driver, so pretends to be an Intel NIC and the OS helpfully loads that driver up, ready for some code injection.

    All it really needs for mitigation is to block the initial configuration of new devices when the computer is locked and before login.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  32. Nothing new by thegarbz · · Score: 1

    Firewire, Express Card, Thunderbolt is just the latest iteration of high speed buses that create security problems.

    Fortunately it's one I can protect myself against. A thunderbolt device won't randomly download itself into my port while I'm browsing porn.

    1. Re:Nothing new by Anonymous Coward · · Score: 0

      Firewire, Express Card, Thunderbolt is just the latest iteration of high speed buses that create security problems.

      They don't create any security problems that aren't present in your system anyway.

      These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.

      If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.

  33. Performance by Bengie · · Score: 1

    https://www.kernel.org/doc/ols...

    Looks like IOMMU is roughly a 15% cpu overhead because of memory virtualization overhead causing increased cache invalidation. But can be up to 60% overhead for events 256bytes and smaller. This might apply for keyboard key presses where the datastructure for the event is larger than the data to indicate which key was pressed or a UDP flood on a network interface, most other hardware devices are going to be dealing in 512byte+ chucks of data at a time. ~15% cpu cost should be the most common.

    15% additional CPU cost on IO seems cheap to me. Most of my IO requires virtually no CPU because of offloading and DMA access. To give an example. Transferring 940Mb/s(114MiB/s) over Ethernet copying a file from one Windows machine to another over SMB results in about 0.5% cpu usage on my quad core. A 15% increase would push it to 0.575%

    1. Re:Performance by Junta · · Score: 1

      This might apply for keyboard key presses

      Well, I doubt you'll find a keyboard that is DMAing, so it wouldn't apply there. Even if it did, no one types fast enough for this to even be a blip.

      15% cost will matter a great deal to some, not at all to others.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  34. just note by Anonymous Coward · · Score: 0

    note how the summary takes pains to talk about Apple but ignores the fact that Linux and Windows have done even less to address the issue

  35. In other news: Water wet! by Casandro · · Score: 1

    I mean seriously, you are running PCI-E over some external port. Of course you can easily access everything, you are on the system bus you have virtually the same rights as the CPU.

    1. Re:In other news: Water wet! by kent.dickey · · Score: 2

      But it's just a USB-C connector.

      A malicious USB-C anything could be created (keyboard, mouse, flash drive) that really was Thunderbolt, and there's really no way for the user to tell. This does mean you should never plug in an untrusted USB-C flash drive (unless it's through a hub which would not allow the Thunderbolt traffic) into a Thunderbolt connector. It could be much worse than getting an ordinary virus.

      It also means your system may be vulnerable to unwanted searches through this vulnerability. Every time you fly internationally, customs agents can copy the entire contents of your laptop.

  36. Article says apple isn't vulnerable by goombah99 · · Score: 1

    What crappy misleading presentation. they say Even the apple was vulnerable, but oh wait, that was on the unpatched apple code, so nevermind.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  37. That's an option on desktop, not laptop by raymorris · · Score: 1

    That's certainly an option you have on desktops. You can avoid putting any high-performance ports external and install these things internally. On a laptop, not so much.

    It does seem wise for an OS to not connect new peripherals while it's locked. I don't know offhand how each OS handles that.

  38. Great quesruin. US gvt standard since 1983 by raymorris · · Score: 1

    > This doesn't work. You've created a distinction inside your head that no one else shares.

    No one except people who have spent an hour or more learning about information security, any time within the last 35 years.

    > Does everything have to be trusted? Is nothing trusted?

    Excellent question! An important question. It's so important, it's one of the first things you learn if you study information security.
    What is trusted is called the Trusted Computing Base.
    It's defined quite thoroughly in the Trusted Computer System Evaluation Criteria (TCSEC), popularly known as the Orange Book. This is a DoD standard first issued in 1983.

    The TCB is composed of the things that must be trusted in order to build any sort of meaningful security - your CPU, your RAM, your bootloader, etc. User applications do not have to be trusted, they can be controlled by security systems.

    The Trusted Computing Base is what *enforces* security policy, everything outside the TCB is subject to security policy. You can chmod a file or set a SELinux security context on a file, then you have to trust the kernel to enforce that chmod. Make sense?

    Generally, the TCB is the hardware in your system and the basic software - the microcode, bios, bootloader, and at least parts of the kernel.

    Note it's the trustED computing base, not trustWORTHY. After definitely what is trusted, what must be trusted, we then set out to certify them as trustworthy.

    > Also, I'd like to ask if mice are secure devices. And keyboards. And monitors and speakers and headphones and USB fans and UPSes.

    Mice and keyboards provide unfiltered input to the TCB (the bios, etc) and are trusted - so you need to make sure they are trustworthy. Speakers and headphones, plugged into an audio output port, are not.

    > Nor do we train people to make any distinction between "secure" and "unsecure" ports. At most, we train people not to plug in unknown USB sticks

    You haven't been to the trainings I give, nor watched them on YouTube.

    > Do we put labels on unsecure ports to identify them? Do we put labels on secure ports? Condoms? Banana peels Anything?

    As I said before, on most modern consumer-level computers, your port for untrusted connections is the RJ-45 port. The USB and lightning ports are for adding new hardware to the system. Hardware is trusted (so make sure it's trustworthy). Anything that is not part of your system, not trusted, should use the port designated for connecting to the world outside of your system. That's the network port.

    1. Re:Great quesruin. US gvt standard since 1983 by Anonymous Coward · · Score: 0

      You aren't getting it. What you do, even in your professional life, isn't terribly relevant to the point I'm making.

      You said, "your port for untrusted connections is the RJ-45 port." OK, so how exactly do I plug a USB mass storage device into that port and get it working? Oh that's right, I can't.

      I know the chapter and verse about the TCB, and the TCP, and the TPM. You know what happened when Microsoft tried to hook Windows to the TPM? The FOSS world lost their minds! They claimed that Linux would be frozen out of reinstalls. Also, how many PC's even have the TPM now, as I haven't seen one in quite a while.

      In the end none of this matters unless we can change user behavior, and so far we haven't done that. Even 'properly' trained users do the wrong thing, from a security standpoint, about half of the time. Why? I know the answers, to a first approximation. And your notion that the RJ-45 port is the only untrusted port is so wrong, it is Not Even Wrong.

    2. Re:Great quesruin. US gvt standard since 1983 by raymorris · · Score: 1

      > OK, so how exactly do I plug a USB mass storage device into that port and get it working? Oh that's right, I can't.

      https://www.wd.com/products/ne...

      If your budget is under $50

      https://www.amazon.com/gp/aw/d...

      > isn't terribly relevant to the point I'm making.

      Your point seems to be that users do stuff things?
      That's true. And therefore we shouldn't tell them what's smart to do instead?

      The fact is, if you install new hardware into your PCIe bus, you are implicitly trusting that hardware. Do you disagree? Or is your point that users attach crap to their bus? And therefore ... what? Stop telling them that's risky?