Security researches at the Network and Distributed Systems Security Symposium in San Diego unveiled a series of new Thunderbolt vulnerabilities collectively named Thunderclap.
We look at the security of input/output devices that use the Thunderbolt interface, which is available via USB-C ports in many modern laptops. Our work also covers PCI Express (PCIe) peripherals which are found in desktops and servers.
Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system.
We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak.
[...] We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets. To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine.
[...] More generally, since this is a new space of many vulnerabilities, rather than a specific example, we believe all operating systems are vulnerable to similar attacks, and that more substantial design changes will be needed to remedy these problems. We noticed similarities between the vulnerability surface available to malicious peripherals in the face of IOMMU protections and that of the kernel system call interface, long a source of operating system vulnerabilities. The kernel system call interface has been subjected to much scrutiny, security analysis, and code hardening over the years, which must now be applied to the interface between peripherals and the IOMMU.
In short, consider disabling Thunderbolt drivers on important machines now.
You can read up more on Thunderclap here.
(Score: 3, Insightful) by Bot on Wednesday February 27 2019, @10:56AM (2 children)
Firewire rebooted
Anyway unix sockets and vpn leaks paint a broader pic, and a scary one.
Account abandoned.
(Score: 2) by driverless on Thursday February 28 2019, @12:03AM (1 child)
In other words, plugging random stuff unprotected into your open ports can give you the clap.
(Score: 2) by Bot on Thursday February 28 2019, @03:32PM
But it's fun :(
Account abandoned.