Security researchers have unearthed a set of severe vulnerabilities involving the Intel and Apple-developed Thunderbolt peripheral and charging connector interface that allow attackers to fully take over computers.
Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals, a team of researchers from the University of Cambridge, Rice University and SRI International [pdf] noted.
This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals, the researchers found.
"If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system," they said.
"Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines," the researchers said.
The main defence against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to done.
Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default.
To explore if and how the IOMMU is used, the researchers built an open source field programmable gate array (FPGA) platform they called Thunderclap.
Windows 7 and 8 as well as Windows 10 Home and Pro did not support the IOMMU at all, the researchers found.
Windows 10 Enterprise can use the IOMMU, but only in a very limited way that leaves most of the system vulnerable.
The researchers have worked with vendors since 2016 to help mitigate the vulnerabilities, and Microsoft introduced the Kernel DMA Protection for Thunderbolt 3 in Windows 10 version 1803 and later variants.
This enables the IOMMU for Thunderbolt peripherals, but not PCIe devices. It requires firmware support however, meaning older laptops shipeed before Windows 10 1803 was released remain vulnerable.
Apple's macOS uses the IOMMU, but even with the hardware defence enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it.
The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard.
Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant.
The open source FreeBSD and Linux support the IOMMU, but it is not enabled by default in many distributions. As with macOS, it was possible to run arbitrary code at high privilege levels on FreeBSD and Linux, and to read data traffic, using the fake network card, the researchers said.
Additionally, on Linux the fake network card had access to kernel data structures and it was possible to bypass the IOMMU completely by setting a few option fields in the messages sent by the malicious devices the researchers built.
Intel has committed patches for Linux kernel 5.0 to enable the IOMMU for Thunderbolt peripherals and to disable a feature that allowed the researchers to bypass the hardware defence.
The vulnerabilties discovered by the researchers are serious enough that one unnamed major laptop vendor said it would like to study the flaws in greater detail before adding Thunderbolt interfaces to their new product lines.
On top of installing security updates for operating systems, the researchers suggested that users concerned about the threat should disable Thunderbolt ports on their machines. PCs often allow users to disable Thunderbolt in BIOS/UEFI firmware settings, while retaining power, video and USB functionality for the USB-C ports.
Users should take care not to leave their computers unattended in public and avoid using USB-C charging stations. They should also be wary of connecting unknown devices to the Thunderbolt port of their computers, even seemingly harmless peripherals like chargers and projectors.