The recent discovery of Thunderclap vulnerabilities was found affecting Windows, Mac and Linux systems. Read on to know more about it…
Recently, a team of researchers revealed a new security vulnerability in the Thunderbolt data transfer specification called “Thunderclap” that could leave computers open to serious attacks from otherwise innocuous USB-C or DisplayPort hardware. This vulnerability was disclosed at the NDSS 2019 security conference.
Thunderbolt is a hardware interface designed by Apple and Intel. It allows the connection of external peripherals such as keyboards, chargers, video projectors etc. with a computer. These interfaces are widely deployed because they combine different capabilities – such as the ability to transmit DC power, serial data and video output – into one single cable.
The Thunderclap issue was discovered back in 2016 by researchers from the University of Cambridge, Rice University and SRI International. Since then, they have been working with hardware and OS versions to have them fixed.
The Thunderclap flaws affect all the Apple laptops and desktops that were produced after 2011, with the exception of the 12-inch MacBook. The flaws also impact many Windows and Linux systems produced since 2016.
According to researchers, all the versions of Thunderbolt from v1 to v3 are impacted by the Thunderclap flaws. Researcher Theo Markettos explains the Thunderclap takes advantage of the privileged, Direct-Memory Access (DMA) that Thunderbolt accessories are granted to gain access to the target device. Unless proper protections are put in place, hackers can use that access to steal data, track files, and run malicious code.
The Thunderclap vulnerabilities are even capable of bypassing an OS security feature known as Input-Output Memory Management Units (IOMMUs). The reason why these vulnerabilities are able to work against IOMMU is either because operating systems have disabled this feature by default or in cases the feature has been enabled by the user. The IOMMU was created in the early 2000s to counter malicious peripherals that try to gain access to the entire OS memory.
Here is the current state of patches for different operating systems for these flaws
Windows – Microsoft has enabled support for the IOMMU for Thunderbolt devices in Windows 10 version 1803. Earlier hardware upgraded to 1803 requires a firmware update from the vendor.
macOS – Apple has addressed the issue in macOS 10.12.4 and later version. “However, the general scope of our work still applies; in particular that Thunderbolt devices have access to all network traffic and sometimes keystrokes and framebuffer data,” said the researchers in a report.
Linux – Intel has released patches to version 5.0 of the Linux kernel. The version enables the IOMMU for Thunderbolt and prevents the protection-bypass vulnerability.
FreeBSD – The malicious peripheral devices of FreeBSD systems are not currently within the threat model. Researchers claim that FreeBSD does not currently support Thunderbolt hotplugging.
In the meantime, users are also advised to disable Thunderbolt ports via BIOS/UEFI firmware settings and to avoid plugging in peripherals from unknown sources.