Thunderbolt Vulnerabilities Leave Computers Wide-Open, Researchers Find (itnews.com.au) 90
Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."
Good replacement for Firewire then (Score:5, Insightful)
Considering this is Apple's choice of replacement for Firewire, this is not any worse of a tradeoff. Firewire already had DMA. Between this and Spectre/Meltdown, Trusted Computing (as anything other than DRM) is becoming more and more impossible.
Re: (Score:2)
I think it's macOS 10.12.4 that was released in 2016.
Re: (Score:2)
Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant.
Reading that literally, Apple patched a vulnerability discovered in 2018/9 in 2016?! What are they trying to say here?
I believe they're trying to say something along the lines of, "macOS 10.12.4, that was released in 2016, has been patched by Apple." Unfortunately, they're not very good at constructing sentences.
Which replaces PCI. Network card for untrusted (Score:5, Insightful)
That's true. These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your computer against a malicious hard drive or graphics card, and the Lightning port is a port for hard drives and graphics.
If you want to connect to something while keeping it separate, having it not be part of your system, you can use the network port for that. That's the port for connecting to other things, untrusted things.
We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.
Re:Which replaces PCI. Network card for untrusted (Score:4, Insightful)
The problem isn't when I plug something into my machine, but when some passerby or government agency plugs something into my machine. The whole issue is that this port is like a hooker on the corner on a Saturday night. Something plugged into a port on a computer should get access to exactly what I let it have access to with my root account, not automatically have access to everything stored in memory or transferred between memory, HDD or other parts of that same computer. Unless of course, the root account has allowed such access.
Re: (Score:2)
The problem isn't when I plug something into my machine, but when some passerby or government agency plugs something into my machine.
If this is a concern for you then install system services that disable port access. There are plenty out there, even my motherboard came with one.
The whole issue is that this port is like a hooker on the corner on a Saturday night.
Yes but the risk of a hooker doesn't mean we should give up on awesome sex. If you want physical security, use physical security.
Re: (Score:3)
No, the problem is plug-and-play. If the OS didn't install a driver and immediately allow the device to operate as soon as it was plugged in, we wouldn't have this problem. Same with USB but to a less severe extent.
You can actually do that on Windows. I don't know about MacOS.
https://docs.microsoft.com/en-... [microsoft.com]
Another thing that really helps is encrypted RAM. It makes DMA attacks far less effective.
Re:Which replaces PCI. Network card for untrusted (Score:4, Informative)
When connected the Thunderbolt device needs to negotiate the link and and request resources. By default it can't just DMA the entire memory space. The host has to read configuration parameters and configure the IOMMU to allow it.
Part of the problem is that the OS does a lot of that automatically, even if there is no driver available. For example when you connect a USB device the OS reads descriptors (metadata) from it, which means that there is a potential attack on the parser for that data. Thunderbolt is no different.
Re: (Score:2)
No, the problem is plug-and-play. If the OS didn't install a driver and immediately allow the device to operate as soon as it was plugged in, we wouldn't have this problem.
Not true. There's a myriad of devices in your computer attached to various devices that are completely OS independent and create a security risk. Do you have a driver for your RAM stick?
Re: (Score:2)
Jane Random servicewoman who comes into your house would have trouble opening your case, installing a device, and rebooting your computer all in the time it takes you to hit the head to squeeze a drop.
An actual case might even be locked and alarmed, too.
Personally, if I was wearing a protective cup, I'd hang my balls on the inside. But perhaps that's just m
That's an option on desktop, not laptop (Score:2)
That's certainly an option you have on desktops. You can avoid putting any high-performance ports external and install these things internally. On a laptop, not so much.
It does seem wise for an OS to not connect new peripherals while it's locked. I don't know offhand how each OS handles that.
Re: (Score:2)
We COULD go back to the days of having separate, different types of ports for a keyboard, a printer, a display, etc. Then you'd know that what looks like a display can only act as a display, display, because it's connected to the VGA port, not the keyboard port.
Or we could just have our OS tell us what the device is presenting as and prompt to enable DMA, obviously actual malicious peripherals would still be a vector but it somewhat blocks evil maid attacks (if you locked your computer) and hacked USB thumb drives.
Great quesruin. US gvt standard since 1983 (Score:2)
> This doesn't work. You've created a distinction inside your head that no one else shares.
No one except people who have spent an hour or more learning about information security, any time within the last 35 years.
> Does everything have to be trusted? Is nothing trusted?
Excellent question! An important question. It's so important, it's one of the first things you learn if you study information security.
What is trusted is called the Trusted Computing Base.
It's defined quite thoroughly in the Trusted Co
Re: (Score:2)
> OK, so how exactly do I plug a USB mass storage device into that port and get it working? Oh that's right, I can't.
https://www.wd.com/products/ne... [wd.com]
If your budget is under $50
https://www.amazon.com/gp/aw/d... [amazon.com]
> isn't terribly relevant to the point I'm making.
Your point seems to be that users do stuff things?
That's true. And therefore we shouldn't tell them what's smart to do instead?
The fact is, if you install new hardware into your PCIe bus, you are implicitly trusting that hardware. Do you disagre
Article says apple isn't vulnerable (Score:2)
What crappy misleading presentation. they say Even the apple was vulnerable, but oh wait, that was on the unpatched apple code, so nevermind.
Re: (Score:2)
USB-C hubs don't pass Thunderbolt signalling. So a cheap USB-C hub would actually protect you from a Thunderbolt device disguised as USB-C.
"Protect" you (Score:3)
USB-C hubs don't pass Thunderbolt signalling. So a cheap USB-C hub would actually protect you from a Thunderbolt device disguised as USB-C.
You are assuming the hub itself is not really thunderbolt in disguise meant to spy on you - obviously it's not going to pass thunderbolt stuff around, with it's primary mission accomplished. That is primarily what I was warning about.
How would anyone know? It's all the same connector (or it can be anyway), and some hubs come with bundled unpluggable cables to attach to
Re: (Score:2)
They said cheap. Currently, I don't think you'd find a cheap Thunderbolt anything.
Sigh (Score:2)
They said cheap. Currently, I don't think you'd find a cheap Thunderbolt anything.
Do I seriously have to spell this out on Slashdot of all places? The whole POINT would be that people thought they were buying a non-thunderbolt device, it might actually cost $1 million to make or whatever by secretly including Thunderbolt and advanced spying hardware and cellular hardware (to transmit what it found), but you don't care because what you are seeking to obtain is more valuable.
Since I'm having to lay out every
Re: (Score:3)
But if any address you are to ship to matches a database Russia or China has provided you, the "special" model is shipped...
So now Amazon is a Russian operative?
off by default (Score:2)
The default configuration of Thinkpads running win10 requires you to give the device permission (admin rights required) before it will connect. You can do an always allow for devices, or turn security off in the bios.
Right idea, wrong conclusion (Score:2)
It's not the devices that are the problem here, but the shitty proprietary software that runs on them.
You have that exactly backwards.
With this level of direct system access, even the most bullet proof of open source code is not going to ever fully protect you.
But you are right to say "don't buy proprietary CRAP", emphasis on crap - as in, do not buy cheap devices to plug into your expensive hardware. That is a perfect philosophy for all things electronic - don't buy the cheapest chargers, cables, USB hubs
Re: (Score:3)
Probably over 85% of devices are the cheapest device, but in a nicer case. If you don't know enough to choose the good parts, you're screwed; paying more doesn't help, that just nonsense. Often the peak of quality in on a mid-range item.
Re: (Score:2)
buy something quality
It was people who bough Cisco routers who got NSA implants, not people buying Netgear.
I think I've got it (Score:4, Funny)
So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it? Sage advice, this.
Re:I think I've got it (Score:5, Funny)
So if I leave my laptop out when I go to the bathroom at Starbucks and nobody steals it, and I come back and there's some weird thing hanging off a Thunderbolt port, I guess I unplug it?
By the time you're back from the bathroom, the weird Thunderbolt thing has already copied out your private information and been removed again. Its owner is now in line to buy a Frappucino, to be paid for from your bank account :)
Re: (Score:3)
I was in a coffee shop (not starbucks though, because they don't sell coffee) a couple of weeks back and a lady asked if I could watch her stuff while she went to the toilet. I suggested that she lock the screen before she went.
Granted, I'm trustworthy, and I live in a generally low crime sort of area, so the risk is pretty low. However, if you can't even get people to lock the screen, then stuff like this is just lightyears away.
A direct path in? (Score:3)
Who would have thought?
Would have more security slowed the data rate down?
Slowed it and used a lot more CPU. *IS* the comput (Score:3)
Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.
These ports are like PCIe - you're adding new parts to your computer, plugging them into the motherboard. You probably shouldn't be trying to protect your computer from a malicious CPU, or RAM that I spying on you - these parts ARE your computer. So is your hard drive - whether you connect it via SATA, PCIe, Lightning, or mSATA. You aren't going to protect your compute
An *unchecked* direct path in (Score:1)
Yes, "more security" would have slowed the data rate. Probably more noticeablw would have been that data transfers would use a LOT more CPU.
Actually, no. You don't strictly need to abandon DMA (for PIO) to fix this.
The thing is that these DMA transfers give full access to the computer's memory to whatever is on the other side of that cable. This is not strictly necessary. Add a (hardware) fence, so set aside a range where DMA can happen and keep everything else out of it, and you can have both "more security" and all that juicy speed.
Same with firewire. The solution then was the same, too. If the controller can't do it on its own (firewire coul
Re: (Score:2)
Re: (Score:2)
That isn't really the case for any modern systems which use an IOMMU. By default the new device is firewalled off completely, and normally won't be given complete access to the entirety of RAM or anything like that.
The problem is that if you connect something like a GPU the OS helpfully auto-configures it and mirrors the screen onto it, including copying all the hidden bitmaps composited behind the lock screen into its RAM. It automatically mounts the Thunderbolt hard drive and starts reading and parsing th
Non-Issue with latest software (Score:5, Informative)
Re: (Score:2)
For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/s... [twitter.com] In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/e... [github.com]. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.
The problem myself and others face with allowing VTd virtualization is that for some this will be the only lever available for stopping Intel AMT from being accessed externally.
When enabled and your computer is off it's still listening on TCP ports. When stealth mode firewall is on with all incoming ports blocked the port is still open. Virtualization is the only thing that physically allows the network hardware (wired and wireless) to be shared concurrently with both the host and management engine.
Re: (Score:3)
AMT doesn't need VTd turned on to access the network, so keeping VTd off for that reason does absolutely nothing. AMT has its own dedicated side band access to the network hardware. AMT only works with Intel networking gear (NIC/Wi-Fi) so the AMT firmware has all the drivers for the NIC built in. Actually, VTd HELPS mitigate AMT concerns because with it turned on AMT is unable to execute arbitrary DMA reads/writes to system RAM, VTd limits AMT's DMA to only the ranges of RAM that the OS allows.
By the way..
Re: (Score:2)
Actually, VTd HELPS mitigate AMT concerns because with it turned on AMT is unable to execute arbitrary DMA reads/writes to system RAM, VTd limits AMT's DMA to only the ranges of RAM that the OS allows.
I doubt IOMMU can stop AMT. I'm pretty sure they tap directly to the memory controller, bypassing IOMMU. After all, isn't the ME (backend for AMT) scandal related to inabillity to block it with the OS?
Re: (Score:2)
AMT doesn't need VTd turned on to access the network, so keeping VTd off for that reason does absolutely nothing. AMT has its own dedicated side band access to the network hardware.
This simply isn't true. Without VTd the NICs can't be used by both AMT and the host system concurrently. My commentary was based on first hand real world observation of what actually occurs:
When VTd is enabled there is a an active IP stack responding to pings and incoming TCP requests when the computer is turned completely off.
When VTd is enabled and all ports are firewalled in the operating system you can still establish incoming TCP connections to ports that not only bypass the firewall but are complete
Comment removed (Score:5, Funny)
does this also happen with lightning cables. (Score:1)
Thunderbolt and lightning,
Very, very frightening me.
"uses" the IOMMU (Score:2)
"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it,"
Clearly they're either not using the IOMMU very well, their network stack is garbage, or both. So uh... which is it?
Re: (Score:3)
Vulnerability doesn't exist on Macs since 2016 (Score:1)
nt
Why does Thunderbolt exist? (Score:2)
Not using Mac, I might be missing something, but why would someone use Thunderbolt instead of USB 3.x?
Re: (Score:2)
It's PCIe plus USB plus video via one cable. Plug in a Thunderbolt to PCIe adapter into your laptop and insert whatever card you want into that adapter.
Plus it's much faster and lower latency than USB.
Re: (Score:2)
Note that thunderbolt is a common feature of non-Apple PCs as well.
One facet is that it supports 4x PCIe, so it can provide a much better performing connection than usb-c by itself.
Use boltd (Score:5, Interesting)
On Linux we have a solution – using Thunderbolt security levels to authorize external devices:
https://christian.kellner.me/2... [kellner.me]
This goes as far as blocking new devices connected while the screen is locked, so noone will connect spy device and exfiliate your data while you are away from your computer.
Nothing new (Score:2)
Firewire, Express Card, Thunderbolt is just the latest iteration of high speed buses that create security problems.
Fortunately it's one I can protect myself against. A thunderbolt device won't randomly download itself into my port while I'm browsing porn.
Performance (Score:2)
Looks like IOMMU is roughly a 15% cpu overhead because of memory virtualization overhead causing increased cache invalidation. But can be up to 60% overhead for events 256bytes and smaller. This might apply for keyboard key presses where the datastructure for the event is larger than the data to indicate which key was pressed or a UDP flood on a network interface, most other hardware devices are going to be dealing in 512byte+ chucks of data at a time. ~15% cpu cost shoul
Re: (Score:2)
This might apply for keyboard key presses
Well, I doubt you'll find a keyboard that is DMAing, so it wouldn't apply there. Even if it did, no one types fast enough for this to even be a blip.
15% cost will matter a great deal to some, not at all to others.
In other news: Water wet! (Score:2)
I mean seriously, you are running PCI-E over some external port. Of course you can easily access everything, you are on the system bus you have virtually the same rights as the CPU.
Re: (Score:3)
But it's just a USB-C connector.
A malicious USB-C anything could be created (keyboard, mouse, flash drive) that really was Thunderbolt, and there's really no way for the user to tell. This does mean you should never plug in an untrusted USB-C flash drive (unless it's through a hub which would not allow the Thunderbolt traffic) into a Thunderbolt connector. It could be much worse than getting an ordinary virus.
It also means your system may be vulnerable to unwanted searches through this vulnerability. Eve