Security experts from Rice University in the United States,
The attack was dubbed by the researchers Thunderclap,
“The Thunderclap vulnerabilities are security flaws that affect the way modern computers interact with peripheral devices such as network cards, storage, and graphics cards.” the researchers explained.
“These vulnerabilities allow an attacker with physical access to a Thunderbolt port to compromise a target machine in a matter of seconds, running arbitrary code at the highest privilege level and potentially gaining access to passwords, banking logins, encryption keys, private files, browsing
The flaws affect all major operating systems, including Windows,
Direct memory access (DMA) attacks allow attackers to compromise a computer by simply plugging in a malicious hotplug device (i.e. a mouse, keyboard, storage) into Thunderbolt 3 port or the latest USB-C port.
The researchers explained that it is also possible to exploit the flaws through devices connected via PCI Express or chips directly soldered to the motherboard.
Attackers leverage the Thunderbolt port to allow connected devices to bypass operating system security policies and directly read/write the content of the system memory.
The attackers can create infected devices to manipulate the contents of the memory and execute arbitrary code with the highest privileges.
The latest generation of operating systems leverages Input/Output Memory Management Unit (IOMMU) protection technique to prevent DMA attacks. The technique implements the control of the accesses made by peripheral devices to the memory.
Unfortunately, the researchers discovered a set of flaws that could allow attackers to bypass IOMMU protection and access portions of the memory they want.
Some Windows and Linux systems mitigate Thunderclap attacks through the Thunderbolt access control mechanism that prompts users when a device is connected. Experts argued the prompt is not displayed if the attack is carried out via a PCI Express peripheral.
Users should not connect devices they do not know the origin or do not trust.
“Our work leverages vulnerabilities in operating system IOMMU usage to compromise a target system via DMA, even in the presence of an IOMMU that is enabled and configured to defend against DMA attacks. The novel Thunderclap security evaluation platform, built on field-programmable gate array (FPGA) hardware, mimics the functionality of a legitimate peripheral device to convince a target operating system to grant it access to regions of memory.” wrote the researchers.
“It then examines those regions of memory to find a rich and nuanced attack surface of vulnerable structures that can be exploited to take control of the system.”
The situation is worse because the IOMMU security mechanism is not enabled by default on most operating systems. Another factor of concern is that modern devices have USB-C extending
Experts shared their findings with major OS and hardware vendors that quickly implemented mitigation to address the Thunderclap vulnerabilities.
“In macOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to achieve a root shell,” researchers said. “Recently, Intel has contributed patches to version 5.0 of the Linux kernel.” continue the experts.
“The FreeBSD Project indicated that malicious peripheral devices are not currently within their threat model for security response.”
Anyway, on vulnerable machines, the best way to mitigate such kind of attacks is to disable the Thunderbolt ports.
Expert provided technical details on the vulnerabilities in a research paper, they also developed a proof-of-concept attacking hardware that can exploit the ThunderClap vulnerabilities on targeted systems, but they did not release it at this time.
(SecurityAffairs – Thunderclap, hacking)