A new vulnerability has been discovered that affects all the major platforms including MacOS and Windows. The vulnerability affects all the devices that use the Thunderbolt interface and allows hackers to exploit your PC by just plugging in a wire.
The vulnerability was published earlier today by a group of researchers at the University of Cambridge, Department of Computer Science and Technology, Rice University, and SRI International. The paper presentation happened at the Network and Distributed System Security Symposium (NDSS) in San Diego, California. It describes a set of vulnerabilities in macOS, FreeBSD, and Linux, “which notionally utilize IOMMUs to protect against DMA attackers.”
The issue is related to the Direct Memory Access enabled by Thunderbolt, and is not properly prevented by the existing IOMMU protection system.
According to the paper, most of the modern computers are affected by this vulnerability which includes, but are not limited to the following:
- Thunderbolt 3 is often supported via USB Type-C ports on modern laptops.
- Machines with older versions of Thunderbolt (carried over a Mini DisplayPort connector) are also affected.
- All Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook.
- Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected – check whether your laptop supports Thunderbolt.
- Thunderclap vulnerabilities can also be exploited by compromised PCI Express peripherals, either plug-in cards or chips soldered to the motherboard.
In 2016, OS vendors added Thunderclap mitigation measures to their platforms but the measures are not 100% effective and security flaws still impact systems protected using IOMMU. While some platform such as Windows 7 doesn’t even come with IOMMU, on the OSs where it is present IOMMU is either limited (Windows 10 Enterprise), disabled out of the box. The only platform where it is enabled is macOS, but even then the users aren’t safe given that Thunderclap vulnerabilities can still circumvent it.
The best way to protect is to make sure you disable all the thunderbolt ports and don’t share publicly available hardware such as chargers as they might be altered to target devices. The best practice to stay safe is to make sure you don’t leave your laptop unattended.
Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines.
– Theodore Markettos