Researchers have disclosed the details of an attack method that can allow a malicious actor to take control of a computer and gain access to sensitive data by connecting a specially crafted device to its Thunderbolt port.
The attack, dubbed Thunderclap, involves a series of vulnerabilities that can be exploited via Thunderbolt, a hardware interface created by Apple and Intel for connecting peripheral devices to a computer. The security holes were discovered by a team of researchers from Rice University in the United States, University of Cambridge in the United Kingdom, and SRI International.
The flaws impact a vast majority of the laptops and desktop computers made by Apple since 2011. However, Thunderbolt 3 is often supported via USB Type-C ports, which means that computers designed to run Windows and Linux can be vulnerable as well. The researchers noted that exploitation is also possible through devices connected via PCI Express or chips directly soldered to the targeted computer’s motherboard.
While launching an attack requires physical access to the targeted system, the experts noted that an attacker can use apparently harmless devices such as chargers of video projectors, which, in addition to launching an attack, can also perform their intended task to avoid raising suspicion.
The researchers reported their findings to affected vendors back in 2016 and have been working with them ever since to develop patches. Both Apple and Microsoft have rolled out some fixes for macOS (starting with version 10.12.4) and Windows (in Windows 10), but they only address the most dangerous problems discovered by the experts.
Intel has created patches for the Linux kernel (expected to be released soon) and one unnamed notebook vendor said it would try to address the issues before adding Thunderbolt to its new product lines.
Thunderclap attacks are mitigated on Windows and some Linux systems due to a Thunderbolt access control mechanism that prompts users when a device is connected, but many people would likely click through these prompts. Furthermore, the researchers pointed out that the access control prompt is not displayed if the attack is carried out via a PCI Express peripheral.
“In general terms, platforms remain insufficiently defended from peripheral devices over Thunderbolt such that users should not connect devices they do not know the provenance of or do not trust,” the researchers noted.
The Thunderclap attack leverages the fact that peripheral devices are given direct memory access (DMA), which means they can read from and write to all the system memory without oversight from the operating system.
The targeted memory can store valuable information, such as passwords, financial information, and browsing data. Attackers could also inject code that would be executed with the highest privileges, giving them complete control over the machine.
The input-output memory management unit (IOMMU) was designed to provide protection against such attacks by restricting the access of peripherals to memory. However, IOMMU introduces some performance penalties and it’s often disabled by default. On the other hand, the researchers have demonstrated that even if IOMMU is enabled and configured properly, attacks are still possible via the Thunderclap vulnerabilities.
The researchers have made available technical details for Thunderclap and released an open source platform that can be used by other researchers and vendors interested in testing their products against these types of DMA attacks.
Back in 2015, a researcher showed how the Thunderbolt port on MacBooks could be abused to install an OS X firmware bootkit.