Thunderclap: Apple Macs at risk from malicious Thunderbolt peripherals

Researchers have revealed how malicious Thunderbolt and PCI Express (PCIe) peripherals could be used to compromise computers running macOS, Windows, Linux and FreeBSD.

Nicknamed ‘Thunderclap’ in a presentation at last week’s Network and Distributed System Security Symposium (NDSS), the vulnerability has to do with Direct Memory Access (DMA), a standard technique for speeding up access to main memory from storage, USB controllers, and network and graphics cards.

More recently, the same low-level privilege has been extended to external peripherals such as Firewire, Thunderbolt 2 and 3, and USB-C, essentially expanding the risk of DMA attack from the trusted subsystems inside a computer to almost anything that might be plugged into it.

DMA attacks have been theorised for years which is why access is granted through a virtual address space managed by the operating system in conjunction with hardware Input-Output Memory Management Units (IOMMUs).

To test and model how secure DMA peripheral access is under real-world conditions, in 2015 the researchers built their own FPGA device – called Thunderclap – comprising PCIe slots and external Thunderbolt 2/3, USB-C interfaces.

Unfortunately, the researchers point out, it turns out that IOMMUs aren’t as effective as system designers have assumed for a complex web of reasons:

The software side of peripheral DMA interfaces is not implemented by carefully hardened kernel system-call code tested by decades of malicious attacks and fuzzing, but by thousands of device drivers that have been designed around historic mutual trust, hardware convenience, and performance maximization.

In short, there appeared to be numerous paths for a malicious peripheral to bypass or manipulate the IOMMU layer, not helped by OS developers and peripheral drivers implementing access in a jumble of different ways.

The Intel-Apple Thunderbolt interface was a particular focus because it’s been around for years and is in almost all Apple laptop and desktops. Notes the researchers’ blog:

These vulnerabilities allow an attacker with physical access to a Thunderbolt port to compromise a target machine in a matter of seconds, running arbitrary code at the highest privilege level and potentially gaining access to passwords, banking logins, encryption keys, private files, browsing and other data.

Which computers are affected?

For starters, any computer with a Thunderbolt port running on Windows, Linux or FreeBSD as well as macOS.

However, because Thunderbolt has been standard on Macs since 2011 and only started appearing on Windows and Linux systems more recently, this platform is most at risk. All Apple models are affected (except for the 12-inch MacBook), including post-2016 models running Thunderbolt 3 over USB-C as well as older ones using a Mini DisplayPort.

The issue isn’t just about Thunderbolt and can also affect PCIe cards found on lots of computers if these have somehow been compromised in the supply chain. That seems far less likely given that Thunderbolt and other external peripherals represent an easier line of attack.

What to do?

It depends how seriously you take the likelihood of an attack that exists as a proof-of-concept. If it bothers you, disabling Thunderbolt ports is one response although this might be either difficult or inconvenient depending on the computer.

The researchers suggest avoiding public USB-C charging stations and being wary about using unknown peripherals:

If you are prompted unexpectedly, you should not agree to any prompts, in particular with regard to installing drivers, and should unplug and not use the device.

Can this be fixed?

All OS vendors were informed of the issue in 2016 and have partially mitigated it with updates since then, specifically macOS 10.12.4 and later, Windows 10 version 1803 and later (additional hardware updates required for upgraded systems), and Intel patches for Linux kernel v5.0.

However, say the researchers, these patches don’t remove all of the risk, including against PCIe cards.

Longer term, the possibility of malicious peripherals with powerful access the OS can’t stop appears to be another complicated security problem developers will just have to get to work fixing with hard graft.