Slashdot Mirror
Thunderbolt Vulnerabilities Leave Computers Wide-Open, Researchers Find (itnews.com.au)
Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."
Considering this is Apple's choice of replacement for Firewire, this is not any worse of a tradeoff. Firewire already had DMA. Between this and Spectre/Meltdown, Trusted Computing (as anything other than DRM) is becoming more and more impossible.
The default configuration of Thinkpads running win10 requires you to give the device permission (admin rights required) before it will connect. You can do an always allow for devices, or turn security off in the bios.
So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it? Sage advice, this.
Fast path into a computer to get data in and out.
Who would have thought?
Would have more security slowed the data rate down?
Domestic spying is now "Benign Information Gathering"
It's not the devices that are the problem here, but the shitty proprietary software that runs on them.
You have that exactly backwards.
With this level of direct system access, even the most bullet proof of open source code is not going to ever fully protect you.
But you are right to say "don't buy proprietary CRAP", emphasis on crap - as in, do not buy cheap devices to plug into your expensive hardware. That is a perfect philosophy for all things electronic - don't buy the cheapest chargers, cables, USB hubs, drives, SD cards and so on, and you can avoid a lot of potential grief. Save up a little and buy something quality - or as quality as external computer devices can get anyway.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/status/985618204184768513 In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/edk2/tree/master/IntelSiliconPkg/Feature/VTd. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.
USB-C hubs don't pass Thunderbolt signalling. So a cheap USB-C hub would actually protect you from a Thunderbolt device disguised as USB-C.
USB-C hubs don't pass Thunderbolt signalling. So a cheap USB-C hub would actually protect you from a Thunderbolt device disguised as USB-C.
You are assuming the hub itself is not really thunderbolt in disguise meant to spy on you - obviously it's not going to pass thunderbolt stuff around, with it's primary mission accomplished. That is primarily what I was warning about.
How would anyone know? It's all the same connector (or it can be anyway), and some hubs come with bundled unpluggable cables to attach to your computer.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If you are close enough to hear the Thunderbolt Port, then you are close enough to get struck by a lightning cable.
Our reign has gone on long enough. Indeed. Summon the meteors.
Thunderbolt and lightning,
Very, very frightening me.
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it,"
Clearly they're either not using the IOMMU very well, their network stack is garbage, or both. So uh... which is it?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
nt
They said cheap. Currently, I don't think you'd find a cheap Thunderbolt anything.
Do I seriously have to spell this out on Slashdot of all places? The whole POINT would be that people thought they were buying a non-thunderbolt device, it might actually cost $1 million to make or whatever by secretly including Thunderbolt and advanced spying hardware and cellular hardware (to transmit what it found), but you don't care because what you are seeking to obtain is more valuable.
Since I'm having to lay out every minute detail of such a potential plot, imagine an Amazon seller of USB-C hubs where most of them are indeed just cheap $10 hubs. But if any address you are to ship to matches a database Russia or China has provided you, the "special" model is shipped...
Starting to get the picture here? Don't buy cheap hardware, at least not if you care about your data security (or maybe even don't want your devices fried by bad power regulation which is less espionage than simple cheap hardware).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.
These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.
If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.
We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.
That's true. These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.
If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.
We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.
Not using Mac, I might be missing something, but why would someone use Thunderbolt instead of USB 3.x?
Slashdot: Playing Favorites Since 1997
Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.
Actually, no. You don't strictly need to abandon DMA (for PIO) to fix this.
The thing is that these DMA transfers give full access to the computer's memory to whatever is on the other side of that cable. This is not strictly necessary. Add a (hardware) fence, so set aside a range where DMA can happen and keep everything else out of it, and you can have both "more security" and all that juicy speed.
Same with firewire. The solution then was the same, too. If the controller can't do it on its own (firewire could) you can do it with IOMMU, either way will work.
Ummm, WHAAAT?!? Deja vu? Did anyone else notice that same black cat walking past the doorway?
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
On Linux we have a solution – using Thunderbolt security levels to authorize external devices:
https://christian.kellner.me/2...
This goes as far as blocking new devices connected while the screen is locked, so noone will connect spy device and exfiliate your data while you are away from your computer.
:wq
That isn't really the case for any modern systems which use an IOMMU. By default the new device is firewalled off completely, and normally won't be given complete access to the entirety of RAM or anything like that.
The problem is that if you connect something like a GPU the OS helpfully auto-configures it and mirrors the screen onto it, including copying all the hidden bitmaps composited behind the lock screen into its RAM. It automatically mounts the Thunderbolt hard drive and starts reading and parsing the filesystem. Perhaps the attacker knows of an exploit in the Intel NIC driver, so pretends to be an Intel NIC and the OS helpfully loads that driver up, ready for some code injection.
All it really needs for mitigation is to block the initial configuration of new devices when the computer is locked and before login.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Firewire, Express Card, Thunderbolt is just the latest iteration of high speed buses that create security problems.
Fortunately it's one I can protect myself against. A thunderbolt device won't randomly download itself into my port while I'm browsing porn.
https://www.kernel.org/doc/ols...
Looks like IOMMU is roughly a 15% cpu overhead because of memory virtualization overhead causing increased cache invalidation. But can be up to 60% overhead for events 256bytes and smaller. This might apply for keyboard key presses where the datastructure for the event is larger than the data to indicate which key was pressed or a UDP flood on a network interface, most other hardware devices are going to be dealing in 512byte+ chucks of data at a time. ~15% cpu cost should be the most common.
15% additional CPU cost on IO seems cheap to me. Most of my IO requires virtually no CPU because of offloading and DMA access. To give an example. Transferring 940Mb/s(114MiB/s) over Ethernet copying a file from one Windows machine to another over SMB results in about 0.5% cpu usage on my quad core. A 15% increase would push it to 0.575%
I mean seriously, you are running PCI-E over some external port. Of course you can easily access everything, you are on the system bus you have virtually the same rights as the CPU.
What crappy misleading presentation. they say Even the apple was vulnerable, but oh wait, that was on the unpatched apple code, so nevermind.
Some drink at the fountain of knowledge. Others just gargle.
That's certainly an option you have on desktops. You can avoid putting any high-performance ports external and install these things internally. On a laptop, not so much.
It does seem wise for an OS to not connect new peripherals while it's locked. I don't know offhand how each OS handles that.
> This doesn't work. You've created a distinction inside your head that no one else shares.
No one except people who have spent an hour or more learning about information security, any time within the last 35 years.
> Does everything have to be trusted? Is nothing trusted?
Excellent question! An important question. It's so important, it's one of the first things you learn if you study information security.
What is trusted is called the Trusted Computing Base.
It's defined quite thoroughly in the Trusted Computer System Evaluation Criteria (TCSEC), popularly known as the Orange Book. This is a DoD standard first issued in 1983.
The TCB is composed of the things that must be trusted in order to build any sort of meaningful security - your CPU, your RAM, your bootloader, etc. User applications do not have to be trusted, they can be controlled by security systems.
The Trusted Computing Base is what *enforces* security policy, everything outside the TCB is subject to security policy. You can chmod a file or set a SELinux security context on a file, then you have to trust the kernel to enforce that chmod. Make sense?
Generally, the TCB is the hardware in your system and the basic software - the microcode, bios, bootloader, and at least parts of the kernel.
Note it's the trustED computing base, not trustWORTHY. After definitely what is trusted, what must be trusted, we then set out to certify them as trustworthy.
> Also, I'd like to ask if mice are secure devices. And keyboards. And monitors and speakers and headphones and USB fans and UPSes.
Mice and keyboards provide unfiltered input to the TCB (the bios, etc) and are trusted - so you need to make sure they are trustworthy. Speakers and headphones, plugged into an audio output port, are not.
> Nor do we train people to make any distinction between "secure" and "unsecure" ports. At most, we train people not to plug in unknown USB sticks
You haven't been to the trainings I give, nor watched them on YouTube.
> Do we put labels on unsecure ports to identify them? Do we put labels on secure ports? Condoms? Banana peels Anything?
As I said before, on most modern consumer-level computers, your port for untrusted connections is the RJ-45 port. The USB and lightning ports are for adding new hardware to the system. Hardware is trusted (so make sure it's trustworthy). Anything that is not part of your system, not trusted, should use the port designated for connecting to the world outside of your system. That's the network port.