Security specialists claim to have uncovered a flaw in the Thunderbolt connectivity specification that could expose PCs to attack via their USB-C and DisplayPort interfaces.
The vulnerability was uncovered by a team of researchers led by Theo Markettos, a senior research associate at the University of Cambridge Computer Laboratory.
Dubbed 'Thunderclap', the vulnerability enables hackers to exploit the privileged direct-memory access (DMA) provided via the Thunderbolt connection to access the targeted device.
"We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak," said Markettos.
"The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively."
Markettos added that Windows 7, 8, and 10 Home and Pro operating systems don't support IOMMU, and even Windows 10 Enterprise doesn't properly support it.
This means that the operating system-level access that Thunderbolt-compatible devices are granted, such as 4K monitors and external GPU enclosures, makes a machine more vulnerable to attacks that gain privileged access to a system.
"We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets," said Markettos.
"To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
"We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine."
On MacOS and FreeBSD, the researchers found that their dodgy network card could start arbitrary programmes as the system admin. On Linux, they were able to get access to sensitive kernel data structures and completely bypass the enabled IOMMU by setting a few option fields in the messages the malicious network card sent.
"Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines," said Markettos.
To execute a Thunderclap attack, though, would mean hacking a Thunderbolt accessory or peripheral - or executing an ‘evil maid' style of cyber attack in which a malicious third-party gains direct physical access to a targeted device.
The discovery of the security flaw isn't new. Markettos said that the researchers had been working with vendors to persuade them to implement mitigations since 2016, and Apple has already eradicated the flaw in its MacOS-based PCs.
Working from home, staying secure: 14 Identity & Access Management tools to deal with the coronavirus fallout
With record numbers working remotely during the COVID-19 crisis, CIOs and CISOs must look at how to maintain identity and access securely across a dispersed network
Zoom denies claims that its service is a security risk
Half of all UK businesses hit by security breaches in the past 12 months, according to government Cyber Security Breaches Survey 2020
More businesses and charities than ever are being hit by cyber attacks, according to the latest survey – but organisation are also becoming more resilient
APT41 attacks carried out between January and March targeted unsecured Citrix NetScaler servers and Cisco routers
More and more ransomware groups are starting to steal data before encryption in order to blackmail their victims into paying up