Thunderclap attack allows access to system memory via Thunderbolt
Security researchers have found vulnerabilities in systems with Thunderbolt ports running Windows, macOS, Linux, and FreeBSD. The vulnerabilities allow access to system memory via peripheral devices.
Malicious individuals can connect specially crafted peripherals via Thunderbolt to perform a series of direct memory access or DMA attacks to extract sensitive data from memory. They can also arbitrarily execute code through vulnerable systems. The vulnerabilities can be exploited with Thunderbolt 3, which often works via USB-C, and older versions of the standard, which functions via mini-displayport. Apple, among others, has been equipping its Mac systems with the interface since 2011, but more and more other computers are also being supplied with Thunderbolt connections.
The Thunderclap vulnerabilities can also be exploited via peripherals that are otherwise connected via pci-e, such as internal video cards, but physical connection is easier to realize with Thunderbolt devices, increasing the threat of this. The nature of the vulnerabilities lies in the direct DMA access of peripherals via Thunderbolt or PCI-e, whereby OS security can be circumvented.
There is protection against too wide access to memory via peripherals, via input-output memory management units or iommus. However, according to the researchers, this protection is disabled by default on Linux and FreeBSD due to its performance impact, and support is limited on Windows 10 Enterprise.
For Windows 10 from version 1803, Microsoft has added support, previous versions require a firmware update from the manufacturer. For Linux, Intel has released a patch and Apple has disabled root access via network cards with the vulnerabilities in macOS 10.12.4 and later versions.
The researchers from the University of Cambridge, Rice University and SRI International have created an open source platform to facilitate research and enable parties to determine the risk associated with products. The Thunderclap platform consists of an fpga that runs the Thunderclap application and connects to the system via Thunderbolt or PCI-e. The application pretends to be an Ethernet card.