Security researches at the Network and Distributed Systems Security Symposium in San Diego unveiled a series of new Thunderbolt vulnerabilities collectively named Thunderclap.
We look at the security of input/output devices that use the Thunderbolt interface, which is available via USB-C ports in many modern laptops. Our work also covers PCI Express (PCIe) peripherals which are found in desktops and servers.
Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system.
We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak.
[...] We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets. To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine.
[...] More generally, since this is a new space of many vulnerabilities, rather than a specific example, we believe all operating systems are vulnerable to similar attacks, and that more substantial design changes will be needed to remedy these problems. We noticed similarities between the vulnerability surface available to malicious peripherals in the face of IOMMU protections and that of the kernel system call interface, long a source of operating system vulnerabilities. The kernel system call interface has been subjected to much scrutiny, security analysis, and code hardening over the years, which must now be applied to the interface between peripherals and the IOMMU.
In short, consider disabling Thunderbolt drivers on important machines now.
You can read up more on Thunderclap here.
(Score: 0) by Anonymous Coward on Wednesday February 27 2019, @03:05PM (2 children)
Yet an American dictionary lists the spellings as "chiefly British".
(Score: 1, Informative) by Anonymous Coward on Wednesday February 27 2019, @07:33PM (1 child)
Well, of course it does. Most of the world's English-speaking population is America, and what's left is chiefly British. (Or English, or UKish? Whatever distinction there may be, it strikes us as not only confusing but tremendously unimportant.)
Canada and Australia look big on a map, but Canada is a frozen wasteland with some habitable regions along the southern border, and Australia is the world's largest desert island with a habitable crust round the edges. New Zealand is just plain tiny.
U.S. 329,093,110
U.K. 66,959,016
Canada 37,279,811
Australia 25,088,636
Ireland 4,847,139
New Zealand 4,792,409
source [worldometers.info]
(Score: 0) by Anonymous Coward on Wednesday February 27 2019, @10:38PM
Cool info.
Also, "defences" is correct. So is "colours". "Rite" is wrong. :P