Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

‘Thunderclap’ Flaws Expose Computers to Attacks via Peripheral Devices

Researchers have disclosed the details of an attack method that can allow a malicious actor to take control of a computer and gain access to sensitive data by connecting a specially crafted device to its Thunderbolt port.

Researchers have disclosed the details of an attack method that can allow a malicious actor to take control of a computer and gain access to sensitive data by connecting a specially crafted device to its Thunderbolt port.

The attack, dubbed Thunderclap, involves a series of vulnerabilities that can be exploited via Thunderbolt, a hardware interface created by Apple and Intel for connecting peripheral devices to a computer. The security holes were discovered by a team of researchers from Rice University in the United States, University of Cambridge in the United Kingdom, and SRI International.

The flaws impact a vast majority of the laptops and desktop computers made by Apple since 2011. However, Thunderbolt 3 is often supported via USB Type-C ports, which means that computers designed to run Windows and Linux can be vulnerable as well. The researchers noted that exploitation is also possible through devices connected via PCI Express or chips directly soldered to the targeted computer’s motherboard.

Thunderclap attack uses Thunderbolt portWhile launching an attack requires physical access to the targeted system, the experts noted that an attacker can use apparently harmless devices such as chargers of video projectors, which, in addition to launching an attack, can also perform their intended task to avoid raising suspicion.

The researchers reported their findings to affected vendors back in 2016 and have been working with them ever since to develop patches. Both Apple and Microsoft have rolled out some fixes for macOS (starting with version 10.12.4) and Windows (in Windows 10), but they only address the most dangerous problems discovered by the experts.

Intel has created patches for the Linux kernel (expected to be released soon) and one unnamed notebook vendor said it would try to address the issues before adding Thunderbolt to its new product lines.

Thunderclap attacks are mitigated on Windows and some Linux systems due to a Thunderbolt access control mechanism that prompts users when a device is connected, but many people would likely click through these prompts. Furthermore, the researchers pointed out that the access control prompt is not displayed if the attack is carried out via a PCI Express peripheral.

“In general terms, platforms remain insufficiently defended from peripheral devices over Thunderbolt such that users should not connect devices they do not know the provenance of or do not trust,” the researchers noted.

The Thunderclap attack leverages the fact that peripheral devices are given direct memory access (DMA), which means they can read from and write to all the system memory without oversight from the operating system.

Advertisement. Scroll to continue reading.

The targeted memory can store valuable information, such as passwords, financial information, and browsing data. Attackers could also inject code that would be executed with the highest privileges, giving them complete control over the machine.

The input-output memory management unit (IOMMU) was designed to provide protection against such attacks by restricting the access of peripherals to memory. However, IOMMU introduces some performance penalties and it’s often disabled by default. On the other hand, the researchers have demonstrated that even if IOMMU is enabled and configured properly, attacks are still possible via the Thunderclap vulnerabilities.

The researchers have made available technical details for Thunderclap and released an open source platform that can be used by other researchers and vendors interested in testing their products against these types of DMA attacks.

Back in 2015, a researcher showed how the Thunderbolt port on MacBooks could be abused to install an OS X firmware bootkit.

Related: MacBooks Leak Disk Encryption Password

Related: Researcher to Demonstrate Attack on Apple EFI Firmware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.