Jump to content

You've been Thunderstuck - Windows, Linux, and MacOS found to allow Thunderbolt & USB-C devices unrestricted memory access

rcmaehl

Sources:
Computing

Apple Insider
Tom's Hardware
 

Summary:
Windows, Linux, and Mac have been found not be properly restricting Thunderbolt and USB-C direct memory access (DMA), allowing devices to steal data, run programs, and allow future unattended access

 

Media:
aHR0cDovL21lZGlhLmJlc3RvZm1pY3JvLmNvbS9PL00vODI1MTQyL29yaWdpbmFsL3RodW5kZXJjbGFwLWRpYWdyYW0uanBn


Quotes/Excepts:

Quote

A flaw in the Thunderbolt connectivity specification that could expose PCs to attack via their USB-C and DisplayPort interfaces. Dubbed 'Thunderclap', the vulnerability enables hackers to exploit the privileged direct-memory access (DMA) provided via the Thunderbolt connection. "The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively." This means that the operating system-level access that Thunderbolt-compatible devices are granted, such as 4K monitors and external GPU enclosures, makes a machine more vulnerable to attacks that gain privileged access to a system. "We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine." On MacOS and FreeBSD, the researchers found that their dodgy network card could start arbitrary programs as the system admin. On Linux, they were able to get access to sensitive kernel data structures and completely bypass the enabled IOMMU by setting a few option fields in the messages the malicious network card sent. "Such attacks are very plausible in practice. The combination of power, video, and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines,"

 

My Thoughts:
While the scope for this attack is limited by the fact it needs an original physical connection to attack the machine, it can easily be used to modify permissions and configuration files to allow continued access to a device after the malicious device is disconnected. Based on having direct memory access, the device would not even need to be unlocked, just powered on. This would easily allow plug-n-go style attacks as seen in Game Theory's Game Lab. As normal the advice on how to avoid these type of attacks do not change: Don't leave you device unattended; Don't plug unofficial or unknown devices into your computer; Don't use public charging stations.

Edited by rcmaehl
Added Tom's Hardware and a media image from their article.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

I checked with my doctor, he says that Ive never had the Thunderclap. 

Lets play connect the dots!

::::::::::

::::::::::

::::::::::

Link to comment
Share on other sites

Link to post
Share on other sites

Well, yea. Isn't this the whole point of Thunderbolt 3 to bypass the normal I/O crap and achieve faster speeds?

 

And again with these physical-access attacks too. I realize laptops have Thunderbolt 3 more frequently now but if you leave your laptop unattended or use public charging etc. then it's your own fault if you catch a virus.

 

2/10 news must try harder. Also does every damn bug have to be named? Just call it whatever the CVE number is and move on. Stop trying to publicize and make light of these zero-day attacks with some hip happening and trendy name.

Link to comment
Share on other sites

Link to post
Share on other sites

Nothing new there, computers have always had physical hacking vulnerabilities. Main port for this has been FireWire and it was just question of time when Thunderbolt is found also to be vulnerable. The biggest thing here is if the vulnerability is accident, misimplementation or designed feature since FireWire was never fixed and the main reason is belived to be that police and other officials can hopefully get encryption keys and general RAM dump through them if they find PC powered on.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, rcmaehl said:

You've been Thunderstuck - Windows, Linux, and MacOS found to allow Thunderbolt & USB-C devices unrestricted memory access

I feel mentioning USB-C in the title can be misleading; a lot of people still do not understand that USB-C is just the physical connector and can be used for more than just USB. Just mentioning that there is a security-issue with Thunderbolt in the title would be less misleading.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

10 minutes ago, HarryNyquist said:

Also does every damn bug have to be named? Just call it whatever the CVE number is and move on. Stop trying to publicize and make light of these zero-day attacks with some hip happening and trendy name.

It's a form of marketing: whoever found the bug can refer to it with a flashy, easier-to-remember name whenever they're trying to sell their services to other companies. I agree that it's silly and all, but it's all about associating one's name -- company or personal -- with having made important discoveries in the minds of the less experienced/knowledgeable.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, WereCatf said:

it's all about associating one's name -- company or personal -- with having made important discoveries in the minds of the less experienced/knowledgeable.

And thusly opening this up to fearmongering by alleged journalists....

 

I dunno, I appreciate the need for attribution and all that, but I have ethical issues with sensationalizing a flaw to make it more known to people that don't understand it.

 

Like, once this leaves tech circles and gets to the hands of the main media, it'll have been distorted to the point that it's just known as Thunderclap, and people won't know anything else except that that little new port on their laptop is VULNERABLE and SCARY!

 

And before anyone says that won't happen, keep in mind during the Shellshock debacle, the media called bash a virus until they were corrected.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, VegetableStu said:

that also happened when thunderbolt 1/2 first started out i think o_o just from the virtue of being closer to the lower levels of the system

Sadly, I don't think that's the right take.

 

Someone found the NSA's handy work.

Link to comment
Share on other sites

Link to post
Share on other sites

48 minutes ago, HarryNyquist said:

And thusly opening this up to fearmongering by alleged journalists....

 

I dunno, I appreciate the need for attribution and all that, but I have ethical issues with sensationalizing a flaw to make it more known to people that don't understand it.

 

Like, once this leaves tech circles and gets to the hands of the main media, it'll have been distorted to the point that it's just known as Thunderclap, and people won't know anything else except that that little new port on their laptop is VULNERABLE and SCARY!

 

And before anyone says that won't happen, keep in mind during the Shellshock debacle, the media called bash a virus until they were corrected.

100%

 

It will be the "newest" STD for PC's

 

 

 

Question Harry - if I leave my computer unattended and someone plugs a USB3.0 external hard drive to my PC and is able to access my other hard drives and can do malicious activity...can I announce to the media that there is vulnerabilities within the USB specification, and that the fix cannot be onus on the people but rather - dummy proof it for the population?

Workstation Laptop: Dell Precision 7540, Xeon E-2276M, 32gb DDR4, Quadro T2000 GPU, 4k display

Wifes Rig: ASRock B550m Riptide, Ryzen 5 5600X, Sapphire Nitro+ RX 6700 XT, 16gb (2x8) 3600mhz V-Color Skywalker RAM, ARESGAME AGS 850w PSU, 1tb WD Black SN750, 500gb Crucial m.2, DIYPC MA01-G case

My Rig: ASRock B450m Pro4, Ryzen 5 3600, ARESGAME River 5 CPU cooler, EVGA RTX 2060 KO, 16gb (2x8) 3600mhz TeamGroup T-Force RAM, ARESGAME AGV750w PSU, 1tb WD Black SN750 NVMe Win 10 boot drive, 3tb Hitachi 7200 RPM HDD, Fractal Design Focus G Mini custom painted.  

NVIDIA GeForce RTX 2060 video card benchmark result - AMD Ryzen 5 3600,ASRock B450M Pro4 (3dmark.com)

Daughter 1 Rig: ASrock B450 Pro4, Ryzen 7 1700 @ 4.2ghz all core 1.4vCore, AMD R9 Fury X w/ Swiftech KOMODO waterblock, Custom Loop 2x240mm + 1x120mm radiators in push/pull 16gb (2x8) Patriot Viper CL14 2666mhz RAM, Corsair HX850 PSU, 250gb Samsun 960 EVO NVMe Win 10 boot drive, 500gb Samsung 840 EVO SSD, 512GB TeamGroup MP30 M.2 SATA III SSD, SuperTalent 512gb SATA III SSD, CoolerMaster HAF XM Case. 

https://www.3dmark.com/3dm/37004594?

Daughter 2 Rig: ASUS B350-PRIME ATX, Ryzen 7 1700, Sapphire Nitro+ R9 Fury Tri-X, 16gb (2x8) 3200mhz V-Color Skywalker, ANTEC Earthwatts 750w PSU, MasterLiquid Lite 120 AIO cooler in Push/Pull config as rear exhaust, 250gb Samsung 850 Evo SSD, Patriot Burst 240gb SSD, Cougar MX330-X Case

 

Link to comment
Share on other sites

Link to post
Share on other sites

isn't this just thunderbolt as usual and NOT usbc3? 

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, jagdtigger said:

Dunt buy anything that has USB-C, problem solved. Its just a useless clusterf!ck anyway....

That's a stupid take and, like I already said, this is specifically about Thunderbolt -- there are more buses that use USB-C than just Thunderbolt, including USB, but that's not vulnerable to this.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, WereCatf said:

That's a stupid take and, like I already said, this is specifically about Thunderbolt -- there are more buses that use USB-C than just Thunderbolt, including USB, but that's not vulnerable to this.

If something isnt secure just avoid it like the plague, there is nothing stupid about it IMO....

 

/EDIT

Oh, and BTW. Direct quote from OP:

Quote

A flaw in the Thunderbolt connectivity specification that could expose PCs to attack via their USB-C and DisplayPort interfaces.

 

Edited by jagdtigger
Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, jagdtigger said:

If something isnt secure just avoid it like the plague, there is nothing stupid about it IMO....

How can a CONNECTOR be secure in the first place? It's like saying a piece of string is insecure and telling people to avoid anything made of string!

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, WereCatf said:

How can a CONNECTOR be secure in the first place? It's like saying a piece of string is insecure and telling people to avoid anything made of string!

"Oh lets give a external connector direct access to the memory, should be alright." There is definitely no screaming logical fault in this... /s

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, jagdtigger said:

"Oh lets give a external connector direct access to the memory, should be alright."

For the love of god. You're talking about a BUS. A BUS is NOT a CONNECTOR. The USB-C connector can be used perfectly well for a lot of things without magically making everything insecure, it's the BUS, ie. Thunderbolt, that is insecure.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

I mean, I feel like this is 100% a required feature for egpu and etc. I suppose the fix will be better management of device id's and all that until a way to spoof the TB3 id is found then rinse repeat.

LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Note 10+ - Surface Book 2 15"

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Curufinwe_wins said:

I mean, I feel like this is 100% a required feature for egpu and etc. I suppose the fix will be better management of device id's and all that until a way to spoof the TB3 id is found then rinse repeat.

That's really the root of the problem. 99% or more devices that need DMA are physically within the PC and can be locked behind screws or a physical lock. Thunderbolt 3 is different in that it provides DMA to any device that wants it AND is external. Taking apart a laptop in the middle of a coffee shop raises a bit of red flags if only minor, connecting a USB looking device to a laptop wouldn't be.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

10 hours ago, WereCatf said:

For the love of god. You're talking about a BUS. A BUS is NOT a CONNECTOR. The USB-C connector can be used perfectly well for a lot of things without magically making everything insecure, it's the BUS, ie. Thunderbolt, that is insecure.

And thunderbolt need a connector right? I intentionally written a generic term, as for usb-c it can be pretty much ignor!d since there is no reason to care about it... Unless ofc you are a masochist and love the dongle fest.

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, VegetableStu said:

although now that you mentioned it i vaguely recall there's previously a smart-connector attack with an actual USB-C device on the USB 3C connection?

 

might be this one if i remember right

https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/

That's neither a vulnerability in the USB-protocol per se or the connector. They've just made a USB-cable with a hidden USB-device inside that then emulates a keyboard and enters stuff into a computer -- nothing new, not difficult to do yourself and doesn't cost much, either; a basic microcontroller, like e.g. something in the STM32-lineup, in a QFN-package along with a few caps, resistors and a voltage-reg is all you need.

 

Why do I say it's not a vulnerability in the USB-protocol? Well, because it is for all intents and purposes a basic USB-keyboard, just one with no keys. It doesn't do anything a USB-keyboard doesn't do, other than playing a pre-recorded macro.

 

USB-C is mentioned only because that's what they demonstrated their cable with. It could just as well have been USB-A or anything else, ie. the connector is irrelevant.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

Oh wow memory related vulnerabilities will never end.. 

| Ryzen 7 7800X3D | AM5 B650 Aorus Elite AX | G.Skill Trident Z5 Neo RGB DDR5 32GB 6000MHz C30 | Sapphire PULSE Radeon RX 7900 XTX | Samsung 990 PRO 1TB with heatsink | Arctic Liquid Freezer II 360 | Seasonic Focus GX-850 | Lian Li Lanccool III | Mousepad: Skypad 3.0 XL / Zowie GTF-X | Mouse: Zowie S1-C | Keyboard: Corsair K63 Cherry MX red | Beyerdynamic MMX 300 (2nd Gen) | Acer XV272U | OS: Windows 11 |

Link to comment
Share on other sites

Link to post
Share on other sites

Doesn’t seem like there is much that can be done about it given the goal of Thunderbolt and USB-C. 

Laptop: 2019 16" MacBook Pro i7, 512GB, 5300M 4GB, 16GB DDR4 | Phone: iPhone 13 Pro Max 128GB | Wearables: Apple Watch SE | Car: 2007 Ford Taurus SE | CPU: R7 5700X | Mobo: ASRock B450M Pro4 | RAM: 32GB 3200 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 11 | Storage: 1TB Crucial P3 NVME SSD, 1TB PNY CS900, & 4TB WD Blue HDD | PSU: Be Quiet! Pure Power 11 600W | Display: LG 27GL83A-B 1440p @ 144Hz, Dell S2719DGF 1440p @144Hz | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G305 | Audio: Audio Technica ATH-M50X & Blue Snowball | Server: 2018 Core i3 Mac mini, 128GB SSD, Intel UHD 630, 16GB DDR4 | Storage: OWC Mercury Elite Pro Quad (6TB WD Blue HDD, 12TB Seagate Barracuda, 1TB Crucial SSD, 2TB Seagate Barracuda HDD)
Link to comment
Share on other sites

Link to post
Share on other sites

On 2/28/2019 at 5:16 PM, VegetableStu said:

that also happened when thunderbolt 1/2 first started out i think o_o just from the virtue of being closer to the lower levels of the system

Yes, it also happened with firewire. It's an intrinsic problem of using pcie as an external bus. Nobody would be surprised if inserting a malicious pcie card could expose a vulnerability, yet here we are.

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Sauron said:

Yes, it also happened with firewire. It's an intrinsic problem of using pcie as an external bus. Nobody would be surprised if inserting a malicious pcie card could expose a vulnerability, yet here we are.

FinFireWire.

 

Hell, one of the tools to attack through PCI-based DMA is avaiable over on GitHub.  That one attacks through Firewire, Thunderbolt, ExpressCard, PC Card, and any other PCI/PCIe interfaces.

2023 BOINC Pentathlon Event

F@H & BOINC Installation on Linux Guide

My CPU Army: 5800X, E5-2670V3, 1950X, 5960X J Batch, 10750H *lappy

My GPU Army:3080Ti, 960 FTW @ 1551MHz, RTX 2070 Max-Q *lappy

My Console Brigade: Gamecube, Wii, Wii U, Switch, PS2 Fatty, Xbox One S, Xbox One X

My Tablet Squad: iPad Air 5th Gen, Samsung Tab S, Nexus 7 (1st gen)

3D Printer Unit: Prusa MK3S, Prusa Mini, EPAX E10

VR Headset: Quest 2

 

Hardware lost to Kevdog's Law of Folding

OG Titan, 5960X, ThermalTake BlackWidow 850 Watt PSU

Link to comment
Share on other sites

Link to post
Share on other sites

Oh no my TB3 gpu dock will steal my games

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×