from the you've-got-the-thunderclap dept.
Security researches at the Network and Distributed Systems Security Symposium in San Diego unveiled a series of new Thunderbolt vulnerabilities collectively named Thunderclap.
We look at the security of input/output devices that use the Thunderbolt interface, which is available via USB-C ports in many modern laptops. Our work also covers PCI Express (PCIe) peripherals which are found in desktops and servers.
Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system.
We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak.
[...] We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets. To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine.
[...] More generally, since this is a new space of many vulnerabilities, rather than a specific example, we believe all operating systems are vulnerable to similar attacks, and that more substantial design changes will be needed to remedy these problems. We noticed similarities between the vulnerability surface available to malicious peripherals in the face of IOMMU protections and that of the kernel system call interface, long a source of operating system vulnerabilities. The kernel system call interface has been subjected to much scrutiny, security analysis, and code hardening over the years, which must now be applied to the interface between peripherals and the IOMMU.
In short, consider disabling Thunderbolt drivers on important machines now.
You can read up more on Thunderclap here.
Related Stories
DMA attacks have never really gone out of fashion and, contrary to popular belief, do not necessarily require physical access. DMA is a misfeature designed provide peripherals with direct, unconstrained, high-speed read-write access to the whole of a system's RAM. Firewire (IEEE-1394) and Thunderbolt are two of the more infamous avenues for attacks, but network cards and other peripherals can also have this capability. One example of abuse would for the peripheral to read and exfiltrate private encryption keys as they rest in memory.
Eclypsium's latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.
DMA attacks are a particularly powerful class of attacks for any adversary who has compromised firmware locally or remotely on peripheral hardware such as network cards, or who has physical access to a system. As the name suggests, DMA attacks enable a potential attacker to read and write memory off a victim system directly, bypassing the main CPU and OS. By overwriting memory, attackers can gain control over kernel execution to perform virtually any manner of malicious activity. We collectively refer to these as Memory Lane attacks.
Earlier on SN:
Thunderbolt Enables Severe Security Threats (2019)
$300 Device Can Steal Mac FileVault2 Passwords (2016)
(Score: 3, Insightful) by Bot on Wednesday February 27 2019, @10:56AM (2 children)
Firewire rebooted
Anyway unix sockets and vpn leaks paint a broader pic, and a scary one.
Account abandoned.
(Score: 2) by driverless on Thursday February 28 2019, @12:03AM (1 child)
In other words, plugging random stuff unprotected into your open ports can give you the clap.
(Score: 2) by Bot on Thursday February 28 2019, @03:32PM
But it's fun :(
Account abandoned.
(Score: 2) by Rich on Wednesday February 27 2019, @11:46AM (5 children)
Thunderbolt is PCI. I bloody expect from any PCI peripheral that it can do DMA and that the PCI subsystem doesn't make one jump through stupid hoops (which WILL eventually break) to get there. All this IOMMU stuff isn't there to make your machine safe against ninja burglar intruders (or maybe customs officers), but to lock you out of your own data.
The proper solution for the topic of TFA is a mechanical lock.
(Score: 2, Interesting) by Anonymous Coward on Wednesday February 27 2019, @12:00PM (1 child)
Did you miss the bit in the summary where it says "laptop"? You know, the type of computer that is often taken out from behind locked doors and into public? I agree, it's not as big a concern for servers and other machines where it's easy to restrict physical access.
(Score: 2) by Rich on Wednesday February 27 2019, @05:57PM
Did you think I wanted to lug a big server past mentioned customs officer?
That said, for convenience on small devices, I could live with a port that simply stays disabled until it is authorized by the user. And I don't want to hear anything about helpless hipsters who'd run out of ideas on how to boot from an external drive with such a switch.
(Score: 4, Interesting) by theluggage on Wednesday February 27 2019, @01:30PM (2 children)
Agreed - in other news, if you let strangers into your house they can steal your stuff.
However, with Thunderbolt, there's a wrinkle - Thunderbolt 3 combines Thunderbolt, USB2/3, DisplayPort (HDMI coming soon) and power supply into a single universal connector* (even Thunderbolt 1/2 incorporated DisplayPort) - and the happy shiny future (already embraced by Apple MacBooks**) is that its the only port you need.
So whereas you could (e.g.) put a mechanical lock on a desktop PC case, or on an old-school laptop's ExpressCard slot, do that on a TB3/USB-C-only laptop and you can't even charge it with the supplied adapter or plug into a data projector.
* ...but, unfortunately, a stupid combinatorial explosion of visually-identical cable types that undoes any 'simplicity'.
** ...don't bother to snark - I already think this is 'strike one' against current MacBooks. Shame about that nice world where you could have Unix with a half-decent GUI and still run Office/Adobe stuff natively when you needed to work with others...
(Score: 2) by Apparition on Wednesday February 27 2019, @02:06PM (1 child)
In the case of only a Thunderbolt port, your best bet is to use a USB hub that doesn't support Thunderbolt.
(Score: 3, Interesting) by theluggage on Wednesday February 27 2019, @03:17PM
Your best bet is to use known safe peripherals that don't support malware. Its not as if plugging an untrusted device into your computer is security city... that shouldn't be something that non-tech users have to think about when plugging in a charger.
In a sense, the wider problem goes back to USB-A ports in hotel rooms etc. becoming the standard low-voltage power supply. Of course, that 110v outlet could be sniffing your devices power consumption to try and deduce what you're typing but unless you're a spook of some sort that's far less likely than the hotel entertainment system getting infected (or even BigHotelCorp trying to install a rootkit for 'legitimate business purposes').
(Score: 2) by FatPhil on Wednesday February 27 2019, @01:07PM
And there were equivalent attacks for previous generations too, literally since a bus-mastering device could be plugged into a socket.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by sgleysti on Wednesday February 27 2019, @02:21PM (5 children)
This word is spelled defenses, not defences. Despite the association in meaning, no one puts the fence in defense because there isn't one.
I have an irrational fear that reading articles and comments online (or for that matter, the things my coworkers write) is going to screw up my ability to spell and use grammar properly. Then/than is probably the one that worries me the most, even though none of this should; like I said, it's irrational.
(Score: 3, Informative) by Rich on Wednesday February 27 2019, @02:39PM
"We have really everything in common with America nowadays, except, of course, language."
Oscar Wilde, The Canterville Ghost (1887).
https://www.gov.uk/government/organisations/ministry-of-defence [www.gov.uk]
(Score: 2) by Apparition on Wednesday February 27 2019, @02:55PM (3 children)
It's only spelled defenses in the United States. Everywhere else English is written in the world (Great Britain, Australia, Canada, New Zealand, etc.), it's defences. See here [grammarly.com].
(Score: 0) by Anonymous Coward on Wednesday February 27 2019, @03:05PM (2 children)
Yet an American dictionary lists the spellings as "chiefly British".
(Score: 1, Informative) by Anonymous Coward on Wednesday February 27 2019, @07:33PM (1 child)
Well, of course it does. Most of the world's English-speaking population is America, and what's left is chiefly British. (Or English, or UKish? Whatever distinction there may be, it strikes us as not only confusing but tremendously unimportant.)
Canada and Australia look big on a map, but Canada is a frozen wasteland with some habitable regions along the southern border, and Australia is the world's largest desert island with a habitable crust round the edges. New Zealand is just plain tiny.
U.S. 329,093,110
U.K. 66,959,016
Canada 37,279,811
Australia 25,088,636
Ireland 4,847,139
New Zealand 4,792,409
source [worldometers.info]
(Score: 0) by Anonymous Coward on Wednesday February 27 2019, @10:38PM
Cool info.
Also, "defences" is correct. So is "colours". "Rite" is wrong. :P
(Score: 2) by Runaway1956 on Wednesday February 27 2019, @05:30PM
https://www.youtube.com/watch?v=JWWTTpDgolM [youtube.com]
Do political debates really matter? Ask Joe!
(Score: 1) by nateman1352 on Thursday February 28 2019, @05:06AM (1 child)
For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/status/985618204184768513 [twitter.com] In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/edk2/tree/master/IntelSiliconPkg/Feature/VTd [github.com]. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.
(Score: 0) by Anonymous Coward on Thursday February 28 2019, @07:12AM
When you assume you make an ASS out of U and ME.