'Thunderclap' security flaw in Thunderbolt spec could compromise PCs via USB-C and DisplayPort connections

clock
Apple has already rolled out operating system-level mitigations to protect against 'Thunderclap' - but Microsoft hasn't...
Image:

Apple has already rolled out operating system-level mitigations to protect against 'Thunderclap' - but Microsoft hasn't...

Researchers uncovered the flaw in 2016 - but Microsoft still hasn't rolled out patches to protect users of Windows 10

Security specialists claim to have uncovered a flaw in the Thunderbolt connectivity specification that could expose PCs to attack via their USB-C and DisplayPort interfaces.

The vulnerability was uncovered by a team of researchers led by Theo Markettos, a senior research associate at the University of Cambridge Computer Laboratory.

Dubbed 'Thunderclap', the vulnerability enables hackers to exploit the privileged direct-memory access (DMA) provided via the Thunderbolt connection to access the targeted device.

"We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak," said Markettos.

"The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively."

Markettos added that Windows 7, 8, and 10 Home and Pro operating systems don't support IOMMU, and even Windows 10 Enterprise doesn't properly support it.

This means that the operating system-level access that Thunderbolt-compatible devices are granted, such as 4K monitors and external GPU enclosures, makes a machine more vulnerable to attacks that gain privileged access to a system.

"We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets," said Markettos.

"To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.

"We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine."

On MacOS and FreeBSD, the researchers found that their dodgy network card could start arbitrary programmes as the system admin. On Linux, they were able to get access to sensitive kernel data structures and completely bypass the enabled IOMMU by setting a few option fields in the messages the malicious network card sent.

"Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines," said Markettos.

To execute a Thunderclap attack, though, would mean hacking a Thunderbolt accessory or peripheral - or executing an ‘evil maid' style of cyber attack in which a malicious third-party gains direct physical access to a targeted device.

The discovery of the security flaw isn't new. Markettos said that the researchers had been working with vendors to persuade them to implement mitigations since 2016, and Apple has already eradicated the flaw in its MacOS-based PCs.

More on Careers and Skills

Tech gift ideas 2021

Top 12 Christmas gift ideas for 2021

Wondering what to get for the tech enthusiast in your life? More importantly, wondering what to get for yourself? Then read on for Computing's guide to the must-have gifts for 2021...

Otto Sumner
clock 03 December 2021 • 4 min read
Seeking women in cyber security? Cast your net smaller!

Seeking women in cyber security? Cast your net smaller!

Jenny Duffy – penetration tester and head of talent at Pentest People – describes the obstacles she overcame to get into cyber security and what drives her mad about employers saying they can’t find good cyber security people.

Jenny Duffy
clock 29 November 2021 • 5 min read
Nerd Digital has found success with Evoke Classics

Nerd Digital achieves rapid results with classic car auction platform Evoke Classics

Former Computing business development director finds success with new venture

Stuart Sumner
clock 25 November 2021 • 2 min read