Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Intel Privacy Security Apple Hardware Technology

Thunderbolt Vulnerabilities Leave Computers Wide-Open, Researchers Find (itnews.com.au) 90

Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."

"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."
This discussion has been archived. No new comments can be posted.

Thunderbolt Vulnerabilities Leave Computers Wide-Open, Researchers Find

Comments Filter:
  • by omnichad ( 1198475 ) on Tuesday February 26, 2019 @09:20PM (#58186668) Homepage

    Considering this is Apple's choice of replacement for Firewire, this is not any worse of a tradeoff. Firewire already had DMA. Between this and Spectre/Meltdown, Trusted Computing (as anything other than DRM) is becoming more and more impossible.

    • by raymorris ( 2726007 ) on Tuesday February 26, 2019 @10:56PM (#58186934) Journal

      That's true. These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.

      If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.

      We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.

      • by Anonymous Coward on Wednesday February 27, 2019 @02:46AM (#58187328)

        The problem isn't when I plug something into my machine, but when some passerby or government agency plugs something into my machine. The whole issue is that this port is like a hooker on the corner on a Saturday night. Something plugged into a port on a computer should get access to exactly what I let it have access to with my root account, not automatically have access to everything stored in memory or transferred between memory, HDD or other parts of that same computer. Unless of course, the root account has allowed such access.

        • The problem isn't when I plug something into my machine, but when some passerby or government agency plugs something into my machine.

          If this is a concern for you then install system services that disable port access. There are plenty out there, even my motherboard came with one.

          The whole issue is that this port is like a hooker on the corner on a Saturday night.

          Yes but the risk of a hooker doesn't mean we should give up on awesome sex. If you want physical security, use physical security.

      • by AmiMoJo ( 196126 )

        No, the problem is plug-and-play. If the OS didn't install a driver and immediately allow the device to operate as soon as it was plugged in, we wouldn't have this problem. Same with USB but to a less severe extent.

        You can actually do that on Windows. I don't know about MacOS.

        https://docs.microsoft.com/en-... [microsoft.com]

        Another thing that really helps is encrypted RAM. It makes DMA attacks far less effective.

        • No, the problem is plug-and-play. If the OS didn't install a driver and immediately allow the device to operate as soon as it was plugged in, we wouldn't have this problem.

          Not true. There's a myriad of devices in your computer attached to various devices that are completely OS independent and create a security risk. Do you have a driver for your RAM stick?

      • by epine ( 68316 )

        You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.

        Jane Random servicewoman who comes into your house would have trouble opening your case, installing a device, and rebooting your computer all in the time it takes you to hit the head to squeeze a drop.

        An actual case might even be locked and alarmed, too.

        Personally, if I was wearing a protective cup, I'd hang my balls on the inside. But perhaps that's just m

        • That's certainly an option you have on desktops. You can avoid putting any high-performance ports external and install these things internally. On a laptop, not so much.

          It does seem wise for an OS to not connect new peripherals while it's locked. I don't know offhand how each OS handles that.

      • by AC-x ( 735297 )

        We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.

        Or we could just have our OS tell us what the device is presenting as and prompt to enable DMA, obviously actual malicious peripherals would still be a vector but it somewhat blocks evil maid attacks (if you locked your computer) and hacked USB thumb drives.

    • What crappy misleading presentation. they say Even the apple was vulnerable, but oh wait, that was on the unpatched apple code, so nevermind.

  • The default configuration of Thinkpads running win10 requires you to give the device permission (admin rights required) before it will connect. You can do an always allow for devices, or turn security off in the bios.

  • by mattyj ( 18900 ) on Tuesday February 26, 2019 @09:36PM (#58186708)

    So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it? Sage advice, this.

    • by Jeremi ( 14640 ) on Tuesday February 26, 2019 @10:11PM (#58186816) Homepage

      So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it?

      By the time you're back from the bathroom, the weird Thunderbolt thing has already copied out your private information and been removed again. Its owner is now in line to buy a Frappucino, to be paid for from your bank account :)

    • I was in a coffee shop (not starbucks though, because they don't sell coffee) a couple of weeks back and a lady asked if I could watch her stuff while she went to the toilet. I suggested that she lock the screen before she went.

      Granted, I'm trustworthy, and I live in a generally low crime sort of area, so the risk is pretty low. However, if you can't even get people to lock the screen, then stuff like this is just lightyears away.

  • by AHuxley ( 892839 ) on Tuesday February 26, 2019 @09:43PM (#58186732) Journal
    Fast path into a computer to get data in and out.
    Who would have thought?
    Would have more security slowed the data rate down?
    • Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.

      These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your compute

      • by Anonymous Coward

        Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.

        Actually, no. You don't strictly need to abandon DMA (for PIO) to fix this.

        The thing is that these DMA transfers give full access to the computer's memory to whatever is on the other side of that cable. This is not strictly necessary. Add a (hardware) fence, so set aside a range where DMA can happen and keep everything else out of it, and you can have both "more security" and all that juicy speed.

        Same with firewire. The solution then was the same, too. If the controller can't do it on its own (firewire coul

      • Ummm, WHAAAT?!? Deja vu? Did anyone else notice that same black cat walking past the doorway?
      • by AmiMoJo ( 196126 )

        That isn't really the case for any modern systems which use an IOMMU. By default the new device is firewalled off completely, and normally won't be given complete access to the entirety of RAM or anything like that.

        The problem is that if you connect something like a GPU the OS helpfully auto-configures it and mirrors the screen onto it, including copying all the hidden bitmaps composited behind the lock screen into its RAM. It automatically mounts the Thunderbolt hard drive and starts reading and parsing th

  • by nateman1352 ( 971364 ) on Tuesday February 26, 2019 @09:46PM (#58186738)
    For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/status/985618204184768513 [twitter.com] In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/edk2/tree/master/IntelSiliconPkg/Feature/VTd [github.com]. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.
    • For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/s... [twitter.com] In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/e... [github.com]. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.

      The problem myself and others face with allowing VTd virtualization is that for some this will be the only lever available for stopping Intel AMT from being accessed externally.

      When enabled and your computer is off it's still listening on TCP ports. When stealth mode firewall is on with all incoming ports blocked the port is still open. Virtualization is the only thing that physically allows the network hardware (wired and wireless) to be shared concurrently with both the host and management engine.

      • AMT doesn't need VTd turned on to access the network, so keeping VTd off for that reason does absolutely nothing. AMT has its own dedicated side band access to the network hardware. AMT only works with Intel networking gear (NIC/Wi-Fi) so the AMT firmware has all the drivers for the NIC built in. Actually, VTd HELPS mitigate AMT concerns because with it turned on AMT is unable to execute arbitrary DMA reads/writes to system RAM, VTd limits AMT's DMA to only the ranges of RAM that the OS allows.

        By the way..

        • by mathew7 ( 863867 )

          Actually, VTd HELPS mitigate AMT concerns because with it turned on AMT is unable to execute arbitrary DMA reads/writes to system RAM, VTd limits AMT's DMA to only the ranges of RAM that the OS allows.

          I doubt IOMMU can stop AMT. I'm pretty sure they tap directly to the memory controller, bypassing IOMMU. After all, isn't the ME (backend for AMT) scandal related to inabillity to block it with the OS?

        • AMT doesn't need VTd turned on to access the network, so keeping VTd off for that reason does absolutely nothing. AMT has its own dedicated side band access to the network hardware.

          This simply isn't true. Without VTd the NICs can't be used by both AMT and the host system concurrently. My commentary was based on first hand real world observation of what actually occurs:

          When VTd is enabled there is a an active IP stack responding to pings and incoming TCP requests when the computer is turned completely off.

          When VTd is enabled and all ports are firewalled in the operating system you can still establish incoming TCP connections to ports that not only bypass the firewall but are complete

  • by account_deleted ( 4530225 ) on Tuesday February 26, 2019 @10:05PM (#58186786)
    Comment removed based on user account deletion
  • Thunderbolt and lightning,
    Very, very frightening me.

  • "Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it,"

    Clearly they're either not using the IOMMU very well, their network stack is garbage, or both. So uh... which is it?

    • The last line says: "Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant." So they are complaining about a bug that was patched more than 2 years ago
  • nt

  • Not using Mac, I might be missing something, but why would someone use Thunderbolt instead of USB 3.x?

    • by Megol ( 3135005 )

      It's PCIe plus USB plus video via one cable. Plug in a Thunderbolt to PCIe adapter into your laptop and insert whatever card you want into that adapter.
      Plus it's much faster and lower latency than USB.

    • by Junta ( 36770 )

      Note that thunderbolt is a common feature of non-Apple PCs as well.

      One facet is that it supports 4x PCIe, so it can provide a much better performing connection than usb-c by itself.

  • Use boltd (Score:5, Interesting)

    by zdzichu ( 100333 ) on Wednesday February 27, 2019 @06:48AM (#58187688) Homepage Journal

    On Linux we have a solution – using Thunderbolt security levels to authorize external devices:
    https://christian.kellner.me/2... [kellner.me]

    This goes as far as blocking new devices connected while the screen is locked, so noone will connect spy device and exfiliate your data while you are away from your computer.

  • Firewire, Express Card, Thunderbolt is just the latest iteration of high speed buses that create security problems.

    Fortunately it's one I can protect myself against. A thunderbolt device won't randomly download itself into my port while I'm browsing porn.

  • https://www.kernel.org/doc/ols... [kernel.org]

    Looks like IOMMU is roughly a 15% cpu overhead because of memory virtualization overhead causing increased cache invalidation. But can be up to 60% overhead for events 256bytes and smaller. This might apply for keyboard key presses where the datastructure for the event is larger than the data to indicate which key was pressed or a UDP flood on a network interface, most other hardware devices are going to be dealing in 512byte+ chucks of data at a time. ~15% cpu cost shoul
    • by Junta ( 36770 )

      This might apply for keyboard key presses

      Well, I doubt you'll find a keyboard that is DMAing, so it wouldn't apply there. Even if it did, no one types fast enough for this to even be a blip.

      15% cost will matter a great deal to some, not at all to others.

  • I mean seriously, you are running PCI-E over some external port. Of course you can easily access everything, you are on the system bus you have virtually the same rights as the CPU.

    • But it's just a USB-C connector.

      A malicious USB-C anything could be created (keyboard, mouse, flash drive) that really was Thunderbolt, and there's really no way for the user to tell. This does mean you should never plug in an untrusted USB-C flash drive (unless it's through a hub which would not allow the Thunderbolt traffic) into a Thunderbolt connector. It could be much worse than getting an ordinary virus.

      It also means your system may be vulnerable to unwanted searches through this vulnerability. Eve

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...