'Thunderclap' security flaw in Thunderbolt spec could compromise PCs via USB-C and DisplayPort connections

clock • 3 min read

Researchers uncovered the flaw in 2016 - but Microsoft still hasn't rolled out patches to protect users of Windows 10

Security specialists claim to have uncovered a flaw in the Thunderbolt connectivity specification that could expose PCs to attack via their USB-C and DisplayPort interfaces.

The vulnerability was uncovered by a team of researchers led by Theo Markettos, a senior research associate at the University of Cambridge Computer Laboratory.

Dubbed 'Thunderclap', the vulnerability enables hackers to exploit the privileged direct-memory access (DMA) provided via the Thunderbolt connection to access the targeted device.

"We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak," said Markettos.

"The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively."

Markettos added that Windows 7, 8, and 10 Home and Pro operating systems don't support IOMMU, and even Windows 10 Enterprise doesn't properly support it.

This means that the operating system-level access that Thunderbolt-compatible devices are granted, such as 4K monitors and external GPU enclosures, makes a machine more vulnerable to attacks that gain privileged access to a system.

"We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets," said Markettos.

"To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.

"We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine."

On MacOS and FreeBSD, the researchers found that their dodgy network card could start arbitrary programmes as the system admin. On Linux, they were able to get access to sensitive kernel data structures and completely bypass the enabled IOMMU by setting a few option fields in the messages the malicious network card sent.

"Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines," said Markettos.

To execute a Thunderclap attack, though, would mean hacking a Thunderbolt accessory or peripheral - or executing an ‘evil maid' style of cyber attack in which a malicious third-party gains direct physical access to a targeted device.

The discovery of the security flaw isn't new. Markettos said that the researchers had been working with vendors to persuade them to implement mitigations since 2016, and Apple has already eradicated the flaw in its MacOS-based PCs.

You may also like
EU investigating Meta over failure to protect children from 'addictive' algorithms

Legislation and Regulation

Suspects Facebook and Instagram leading minors down 'rabbit hole'

clock 16 May 2024 • 1 min read
EU probes Apple, Google and Meta for DMA violations

Compliance

'We can't just sit around and wait,' says EU industry chief Thierry Breton

clock 26 March 2024 • 4 min read
Big tech voices opposition to digital competition law in India

Legislation and Regulation

Tech giants fear introduction of EU DMA-style law

clock 18 March 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Microsoft 365 emails vulnerable to newly discovered exploits

Microsoft 365 emails vulnerable to newly discovered exploits

Security woes continue

Penny Horwood
clock 20 June 2024 • 2 min read
Cyber gang shifts focus to SaaS apps

Cyber gang shifts focus to SaaS apps

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

Vikki Davies
clock 18 June 2024 • 2 min read
Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

A relatively quiet month

John Leonard
clock 12 June 2024 • 2 min read