Apple has already rolled out operating system-level mitigations to protect against ‘Thunderclap’ – but Microsoft hasn’t…
Security specialists claim to have uncovered a flaw in the Thunderbolt connectivity specification that could expose PCs to attack via their USB-C and DisplayPort interfaces.
The vulnerability was uncovered by a team of researchers led by Theo Markettos, a senior research associate at the University of Cambridge Computer Laboratory.
Dubbed ‘Thunderclap‘, the vulnerability enables hackers to exploit the privileged direct-memory access (DMA) provided via the Thunderbolt connection to access the targeted device.
“We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak,” said Markettos.
“The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively.”
Markettos added that Windows 7, 8, and 10 Home and Pro operating systems don’t support IOMMU, and even Windows 10 Enterprise doesn’t properly support it.
This means that the operating system-level access that Thunderbolt-compatible devices are granted, such as 4K monitors and external GPU enclosures, makes a machine more vulnerable to attacks that gain privileged access to a system.
“We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets,” said Markettos.
“To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
“We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn’t supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine.”
On MacOS and FreeBSD, the researchers found that their dodgy network card could start arbitrary programmes as the system admin. On Linux, they were able to get access to sensitive kernel data structures and completely bypass the enabled IOMMU by setting a few option fields in the messages the malicious network card sent.
“Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines,” said Markettos.
To execute a Thunderclap attack, though, would mean hacking a Thunderbolt accessory or peripheral – or executing an ‘evil maid’ style of cyber attack in which a malicious third-party gains direct physical access to a targeted device.
The discovery of the security flaw isn’t new. Markettos said that the researchers had been working with vendors to persuade them to implement mitigations since 2016, and Apple has already eradicated the flaw in its MacOS-based PCs.