Photo by Thunderclap Team
Thunderclap Researchers Reveal Vulnerabilities Exploitable through Thunderbolt
A team of researchers has unearthed a group of security vulnerabilities that they’ve dubbed Thunderclap because the most common way of exploiting them is through Thunderbolt (PCs are also vulnerable through PCI Express devices). Thunderclap vulnerabilities take advantage of direct memory access—essential for maximum performance—between usually internal peripherals like graphics processors and network cards. However, technologies like Thunderbolt allow peripherals that are granted direct memory access to be hot-plugged at any time, enabling attacks on temporarily unattended computers. Plus, Thunderbolt’s use in charging means that attackers could create malicious public charging stations.
Unfortunately, Thunderclap affects basically all operating systems—the researchers call out macOS, Windows, Linux, and FreeBSD—and all Macs released since 2011 other than the 12-inch MacBook, which has only USB-C. The researchers disclosed Thunderclap to vendors in 2016 and have worked with them since. Apple, Intel, and Microsoft have all responded to some extent—Apple addressed a specific network card vulnerability in macOS 10.12.4 Sierra and later, but the Thunderclap researchers say other vulnerabilities remain unaddressed.
The likelihood of everyday users being targeted by an attacker using Thunderclap seems very low at the moment. The best defense, for now, is to be careful about what you plug into your computer, and if you’re a high-value target for some reason, to avoid leaving your computer unattended.
Similar issues concerning possible Thunderbolt and EFI attacks have been covered since at least 2015 as in https://trmm.net/Thunderstrike_2 and this 2017 article https://arstechnica.com/information-technology/2017/09/an-alarming-number-of-macs-remain-vulnerable-to-stealthy-firmware-hacks/.
DMA attacks go back a long way and affect a lot of connection types. From wikipedia: FireWire, CardBus, ExpressCard, Thunderbolt, PCI, and PCI Express.
The good part is that it requires physical access of some sort. The bad part is that it’s now comparatively easy to hide everything, including wi-fi data egress, in a normal looking cable.
A good rule of thumb is to not buy or use odd brand cables or cards, or to buy from places like amazon that are careless about mixing counterfeits in with genuine stuff.
Join the discussion in the TidBITS Discourse forum