Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

‘Thunderclap’ Flaws Expose Computers to Attacks via Peripheral Devices

Researchers have disclosed the details of an attack method that can allow a malicious actor to take control of a computer and gain access to sensitive data by connecting a specially crafted device to its Thunderbolt port.

Researchers have disclosed the details of an attack method that can allow a malicious actor to take control of a computer and gain access to sensitive data by connecting a specially crafted device to its Thunderbolt port.

The attack, dubbed Thunderclap, involves a series of vulnerabilities that can be exploited via Thunderbolt, a hardware interface created by Apple and Intel for connecting peripheral devices to a computer. The security holes were discovered by a team of researchers from Rice University in the United States, University of Cambridge in the United Kingdom, and SRI International.

The flaws impact a vast majority of the laptops and desktop computers made by Apple since 2011. However, Thunderbolt 3 is often supported via USB Type-C ports, which means that computers designed to run Windows and Linux can be vulnerable as well. The researchers noted that exploitation is also possible through devices connected via PCI Express or chips directly soldered to the targeted computer’s motherboard.

Thunderclap attack uses Thunderbolt portWhile launching an attack requires physical access to the targeted system, the experts noted that an attacker can use apparently harmless devices such as chargers of video projectors, which, in addition to launching an attack, can also perform their intended task to avoid raising suspicion.

The researchers reported their findings to affected vendors back in 2016 and have been working with them ever since to develop patches. Both Apple and Microsoft have rolled out some fixes for macOS (starting with version 10.12.4) and Windows (in Windows 10), but they only address the most dangerous problems discovered by the experts.

Intel has created patches for the Linux kernel (expected to be released soon) and one unnamed notebook vendor said it would try to address the issues before adding Thunderbolt to its new product lines.

Thunderclap attacks are mitigated on Windows and some Linux systems due to a Thunderbolt access control mechanism that prompts users when a device is connected, but many people would likely click through these prompts. Furthermore, the researchers pointed out that the access control prompt is not displayed if the attack is carried out via a PCI Express peripheral.

“In general terms, platforms remain insufficiently defended from peripheral devices over Thunderbolt such that users should not connect devices they do not know the provenance of or do not trust,” the researchers noted.

The Thunderclap attack leverages the fact that peripheral devices are given direct memory access (DMA), which means they can read from and write to all the system memory without oversight from the operating system.

The targeted memory can store valuable information, such as passwords, financial information, and browsing data. Attackers could also inject code that would be executed with the highest privileges, giving them complete control over the machine.

The input-output memory management unit (IOMMU) was designed to provide protection against such attacks by restricting the access of peripherals to memory. However, IOMMU introduces some performance penalties and it’s often disabled by default. On the other hand, the researchers have demonstrated that even if IOMMU is enabled and configured properly, attacks are still possible via the Thunderclap vulnerabilities.

The researchers have made available technical details for Thunderclap and released an open source platform that can be used by other researchers and vendors interested in testing their products against these types of DMA attacks.

Back in 2015, a researcher showed how the Thunderbolt port on MacBooks could be abused to install an OS X firmware bootkit.

Related: MacBooks Leak Disk Encryption Password

Related: Researcher to Demonstrate Attack on Apple EFI Firmware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.