Slashdot Mirror
Thunderbolt Vulnerabilities Leave Computers Wide-Open, Researchers Find (itnews.com.au)
Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."
Considering this is Apple's choice of replacement for Firewire, this is not any worse of a tradeoff. Firewire already had DMA. Between this and Spectre/Meltdown, Trusted Computing (as anything other than DRM) is becoming more and more impossible.
So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it? Sage advice, this.
Fast path into a computer to get data in and out.
Who would have thought?
Would have more security slowed the data rate down?
Domestic spying is now "Benign Information Gathering"
For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/status/985618204184768513 In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/edk2/tree/master/IntelSiliconPkg/Feature/VTd. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.
USB-C hubs don't pass Thunderbolt signalling. So a cheap USB-C hub would actually protect you from a Thunderbolt device disguised as USB-C.
You are assuming the hub itself is not really thunderbolt in disguise meant to spy on you - obviously it's not going to pass thunderbolt stuff around, with it's primary mission accomplished. That is primarily what I was warning about.
How would anyone know? It's all the same connector (or it can be anyway), and some hubs come with bundled unpluggable cables to attach to your computer.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If you are close enough to hear the Thunderbolt Port, then you are close enough to get struck by a lightning cable.
Our reign has gone on long enough. Indeed. Summon the meteors.
Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.
These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.
If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.
We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.
That's true. These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.
If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.
We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.
The last line says: "Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant." So they are complaining about a bug that was patched more than 2 years ago
Well, there's spam egg sausage and spam, that's not got much spam in it.
Probably over 85% of devices are the cheapest device, but in a nicer case. If you don't know enough to choose the good parts, you're screwed; paying more doesn't help, that just nonsense. Often the peak of quality in on a mid-range item.
On Linux we have a solution – using Thunderbolt security levels to authorize external devices:
https://christian.kellner.me/2...
This goes as far as blocking new devices connected while the screen is locked, so noone will connect spy device and exfiliate your data while you are away from your computer.
:wq
But if any address you are to ship to matches a database Russia or China has provided you, the "special" model is shipped...
So now Amazon is a Russian operative?
But it's just a USB-C connector.
A malicious USB-C anything could be created (keyboard, mouse, flash drive) that really was Thunderbolt, and there's really no way for the user to tell. This does mean you should never plug in an untrusted USB-C flash drive (unless it's through a hub which would not allow the Thunderbolt traffic) into a Thunderbolt connector. It could be much worse than getting an ordinary virus.
It also means your system may be vulnerable to unwanted searches through this vulnerability. Every time you fly internationally, customs agents can copy the entire contents of your laptop.