Cyber security researchers detail USB-C Thunderbolt hack, offer advice to avoid the hack

And this is why you don’t plug random devices into the USB-C ports on your Mac.

A group of researchers over at Light Blue Touchpaper have detailed a vulnerability through the Thunderbolt interface with USB-C ports. The attack, if executed correctly, can give hackers full access to data that “should never leave the machine.

On a positive note, Apple products seem better at guarding against the vulnerability the its competitors.

USB-C Ports, through which the Thunderbolt interface connects with a computer, “offer very privileged, low-level, direct memory access (DMA),” the researchers explained. This means that peripherals connected by Thunderbolt have much more privilege than a standard USB device. The researchers found the operating systems, had “very weak” defences against “malicious DNA-enabled peripheral devices.” The Thunderbolt device could access all network traffic, as well on occasion being able to access keystrokes and framebuffer data.

The report cites that the best protection against this attack is an Input-Output Memory Management Unit (IOMMU), which could theoretically only give devices access to the the memory they need to complete their task. The problem was the operating systems investigated did not “use the IOMMU effectively”.

“MacOS is the only OS we studied that uses the IOMMU out of the box,” the researchers said. Meanwhile Windows 7, Windows 8, and Windows 10 Home and Pro had not support for the IOMMU at all.

Still, in additional tests, researchers using a fake network card to access an operating system were able “to start arbitrary programs as the system administrator” on macOS. They added that while Apple had fixed the specific vulnerability that they found with macOS 10.12.4 in 2016 “the more general scope of such attacks remain relevant”. The researchers concluded that “such attacks are very plausible in practice.”

As useful as USB-C and Thunderbolt 3 are, the combination of power, video, and peripheral device DMA can create the presence of malicious charging stations or displays that function correctly but simultaneously take control of connected machines.

The researchers have coined the vulnerability “Thunderclap” and stated that they have been working with notebook vendors since 2016 to address the issues. However, the researchers repeated their calls for the vendors to improve operating system security. They added the usual advice that people should not attach unfamiliar USB-C devices to their laptops.

In short, be careful out there and try not to attach strange devices to your USB-C ports.

Stay tuned for additional details as they become available.

Via The Mac Observer and Light Blue Touchpaper