February 27, 2019 at
A group of researchers presented a paper on Thunderclap this week at the San Diego’s Network and Distributed Systems Security Symposium 2019. Thunderclap is an accumulation of defects related to Thunderbolt hardware interface. It presents a treat to all operative systems and can hide in any peripheral device attaching to a computer.
How does Thunderclap work?
Thunderclap’s method is to exploit the weaknesses in Thunderbolt, a widely used hardware interface system. To connect to a computer, peripheral devices use Thunderbolt. It is possible to infect a device with malicious content and connect it to a computer using Thunderbolt. Through Thunderclap, the malware from the device could gain access to the memory of any operative system in order to loot data without permission.
Apple and Intel developed Thunderbolt in order to enable external devices such as keyboards, chargers, and projectors to connect to a computer. Thunderbolt integrated various technologies into one single cable that could, for example, transfer data, charge phones and transfer video content. Apple was the only company using it at first. Later the other hardware selling companies took it over too. The first two versions use Mini DisplayPort and the third and the most popular one uses USB-C.
The researchers claimed that all three versions of Thunderbolt were susceptible to Thunderclap. Three major operative systems, as well as the FreeBSD, were potentially at risk. Apple products made since 2011 and laptops and PCs that work on Windows and Linux made since 2016 all use Thunderbolt. Therefore, all those products are at risk except MacBook 12″.
Why is Thunderclap so dangerous?
Thunderclap actually takes advantage of a very important OS issue called Direct Memory Access. When the peripheral device is connected to a computer through the Thunderbolt interface, the OS immediately gives it direct access to its memory. That way, any device infected with malicious code can seem to work normally while the malware is going through the memory-stealing confidential information.
In the early 2000s, developers have developed a security method to oppose DMA attacks. This method is called Input-Output Memory Management Units. Thunderclap is immune to this security measure probably for a couple of possible reasons. OS could happen to disable this measure by default. If that is not the case, OS could have been sharing the same memory space for user data with the malware from a peripheral device.
How can this be solved?
Researchers from three Universities have discovered Thunderclap in 2016 and warned the public about it. They have been trying to find a solution since then. OS developers have taken some time to start working on a fix for every type of Thunderclap attack, so there hasn’t been much progress in the past three years.
The researches have declared the updates against Thunderbolt on every OS. Windows created support for the IOMMU for Thunderbolt devices in Windows 10. Every device needs to be upgraded to version 1803 which is significant progress. The most complex issues haven’t been fixed. Apple acknowledged a certain network card weakness in Mac’s OS 10.12.4. More complex issues such as Thunderclap accessing network traffic, keystrokes, and framebuffer information haven’t been resolved yet.
Intel has created patches to Linux kernel 5.0. Patches enable IOMMU and block weakness that exploits PCI Expresse’s ATS. FreeBSD Project doesn’t support Thunderbolt interface at the moment. They stated that infected peripherals are not yet “within their threat model for security response”.
What are the recommendations?
The researchers recommended using BIOS/UEFI firmware to disable Thunderbolt. They also shouldn’t connect untrusted peripheral devices to their computers if possible. Thunderclap can also work through infected PCI Express peripheral devices such as plugin cards or motherboard-brazed chips. These attacks are more complex because they also endanger firmware of the peripheral.