Thunderbolt 3 'Thunderclap' vulnerabilities let malicious peripherals attack a Mac's memory

Vulnerabilities in Thunderbolt has been disclosed by security researchers, with "Thunderclap" allowing a device connecting over Thunderbolt to acquire sensitive data from the host Mac, an issue that affects almost all Macs released since 2011.

Revealed at the Network and Distributed Systems Security Symposium on Tuesday, Thunderclap is a set of vulnerabilities that take advantage of issues with the way Thunderbolt operates. By misusing how Thunderbolt functions, a malicious device has the capability to access system memory without any oversight from operating systems.

The main way Thunderclap works is due to how Thunderbolt peripherals and accessories are effectively considered to be trusted components of a computer, complete with direct memory access that can bypass operating system security policies, according to security researcher Theo Markettos. Thunderbolt offers devices "more privilege than regular USB devices," giving them more freedom and access to potentially sensitive information.

Practically all hardware with some form of Thunderbolt connection is affected, including those with USB Type-C ports and those with older Mini DisplayPort connections. In the case of Apple, a dedicated Thunderclap website notes "all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch Macbook."

Existing defenses of malicious devices exploiting DMA were deemed "very weak." One primary defense, the Input-Output Memory Management Unit (IOMMU,) in theory can force devices to only access memory required for a task and block off everything else, but not every operating system uses it.

It was found macOS is the only operating system to use IOMMU out of the box. Windows 7 to 10 Home and Pro don't support IOMMU, Windows 10 Enterprise has support but in a "very limited way" that doesn't offer adequate protection, and while Linux and FreeBSD do support IOMMU, it isn't enabled by default in most distributions.

It was also discovered that there are still more vulnerabilities available, even if IOMMU is enabled. By constructing a fake network card that functions to the operating system in a similar way to a real version, the team found it was capable of reading traffic from networks it wouldn't normally have access to, and on MacOS and FreeBSD, had the ability to start arbitrary programs as a system administrator.

The team of researchers working on the Thunderclap project include Theo Markettos, Colin Rothwell, Brett Gutstein, Allison Pearce, Peter Neumann, Simon Moore, and Robert Watson. The team has already been working with vendors since 2016, with many issuing patches and fixes to work around many of the vulnerabilities brought up by the researchers.

In the case of Apple, macOS fixed a vulnerability that allowed administrator access in an update to version 10.12.4 in 2016, though it is believed "the more general scope of such attacks remain relevant."

Such attacks would be unlikely to affect the vast majority of macOS users, as they would require physical access to a Thunderbolt Mac, and a malicious peripheral that does not appear to exist yet. Short of being exceptionally careless with security, the only time anyone is probably going to be affected by this sort of attack is if they are in an important position within an enterprise or of some importance to a government.

AppleInsider's general advice is to avoid plugging in random and untrusted peripherals of any sort into to a computer, such as "lost" USB drives of unknown origins, and to maintain the physical and software security of managed systems.