Microsoft reveals why no Surface device has Thunderbolt and why you can’t upgrade your RAM

[SansVarnic]

Microsoft reveals why no Surface device has Thunderbolt and why you can’t upgrade your RAM

by Surur @mspoweruserApr 25, 2020 at 10:50 GMT

 

Source: https://mspoweruser.com/microsoft-reveals-why-no-surface-device-has-thunderbolt-and-you-cant-upgrade-your-ram/

 

Quote

Thunderbolt uses DMA (Direct Memory Access) which means the port can read and write directly to your device’s RAM without the OS or processor being involved. This offers great speed, but also means a malicious device could read any part of your RAM at will, including important items such as your Bitlocker key and other encryption keys, or even inject malware which allows hackers to bypass the lock screen.

Simply put, because it is not secure.

Well this sucks, I was hoping that the Surface 7 and the Surface X would have type C (surface X has type C) and thunderbolt but I have to admit I did not take this into consideration.

The article is not very long but there is a snippet from the presentation that explains this.

 

 

Thoughts?

[Ashley MLP Fangirl]

what the hell? if it's insecure they should fix it! DMA has been a thing since the 90's microsoft, fix your broken OS!

[RejZoR]

7 minutes ago, Twilight said:

what the hell? if it's insecure they should fix it! DMA has been a thing since the 90's microsoft, fix your broken OS!

Well, DMA means Direct Memory Access so... It's literally a feature.

[Ashley MLP Fangirl]

Just now, RejZoR said:

Well, DMA means Direct Memory Access so... It's literally a feature.

still it's been around for SO LONG, why isn't it secure yet?

[wanderingfool2]

4 minutes ago, Twilight said:

what the hell? if it's insecure they should fix it! DMA has been a thing since the 90's microsoft, fix your broken OS!

You missed the first sentence of the quote.

Quote

without the OS or processor being involved

So how is MS supposed to fix DMA if it bypasses the OS...DMA devices are designed to be able to bypass OS items; which is why they have been dangerous for years.  The hardware itself is usually the one that needs to change, DMA devices in general provide a more open window for attack. (Just like how firewire on Macs for a while allowed you full access).  DMA devices are just more dangerous.

 

In my opinion though, this just seems like an excuse.  Soldered ram and no thunderbolt on consumer laptops to me just says they are making excuses why they won't put it in.

 

 

[RejZoR]

Just now, Twilight said:

still it's been around for SO LONG, why isn't it secure yet?

It wouldn't be Direct Memory Access anymore if you somehow restrict it. They could call it SDMA or Secure DMA and place some sort of restrictions on it. Problem with hardware is, when flaw is found, there is no easy way in fixing it. Which makes sense why MS opted for simply not including it.

[TempestCatto]

Other Windows machines have it, why not just include it anyway?

[Curufinwe_wins]

25 minutes ago, TempestCatto said:

Other Windows machines have it, why not just include it anyway?

 

35 minutes ago, Twilight said:

still it's been around for SO LONG, why isn't it secure yet?

 

It is 'secure'. But if that security is ever bypassed or found vulnerable (and golden rule of IT is to assume everything has undiscovered vulnerabilities), it is a massive (potentially even unpatchable) vulnerability... Think like how hardware mods existed for the original Switch that could only be fixed with a new hardware revision.

 

Now with that said, you could say 'well so what? I want it anyways'... but it is an honest perfectly reasonable stance for a company to take. Microsoft isn't marketing Surface products on the basis of gaming performance, so the dGPU attachment isn't relevant, and honestly USB 3.1 Gen 2 is more than fast enough for everything else. Hell you could (at least in theory) run 10 GbE off of it. 5GbE USB adapters now exist, and it is similar speed to SATAIII and it has been repeatedly demonstrated that (for now anyways) NVMe drives offer damn near 0 benefit in the hypermajority of consumer workloads (or even gaming).

 

USB 3.1 Gen 2 still allows support for USB Power Delivery and Displayport Alt Modes, and if Microsoft wants to separately include Displayport 1.4 ports, all the better.

 

 

-----

TLDR: I'm not saying I agree with Microsoft's position, but it does have a very rational basis (even if it were to be just an excuse).

[Likwid]

But why no bigger ram options?

[mariushm]

It's the same reason why Firewire was shunned, because it allowed for DMA transfers, sending data to ram or reading data from ram without the operating system being involved.

Rogue firewire devices could send data and put it in memory at particular locations, overwriting existing stuff.

 

Thunderbolt uses that DMA stuff most likely to reduce cpu usage, with operating system being involved your fancy 6-8 core processor would probably sit at 50% cpu usage just by transferring 2-3 gigabits of capture card data or passing image from video card to your monitor through thunderbolt...

[Curufinwe_wins]

Also worth noting, I don't support the soldered ram position, and it is completely separate from the 'Thunderbolt isn't risk-free' position.

[WereCatf]

Firewire, back in the day, also used DMA and was demonstrated a good number of times to be a good way into laptops and other similar devices that were supposed to be secure. The problem was that all you had to do was to plug in a malicious device, let it do its thing, pop the device out and off you go -- literal seconds for utterly complete hosing of your target's security.

[schwellmo92]

58 minutes ago, Curufinwe_wins said:

Also worth noting, I don't support the soldered ram position, and it is completely separate from the 'Thunderbolt isn't risk-free' position.

LPDDR is solder only, and also they use soldered RAM to reduce chassis height.

[Curufinwe_wins]

4 minutes ago, schwellmo92 said:

LPDDR is solder only, and also they use soldered RAM to reduce chassis height.

And that still isn't sufficient reasoning IMO.

 

Windows laptops with similar zHeight and battery life have come out without that limitation.

 

[Note: I own an SB2 so it isn't a gamebreaker for me. Just it is absolutely 100% a negative.]

[orbitalbuzzsaw]

That's bullshit, they could fix it they just don't want to for some reason

[SansVarnic]

I would agree, the DMA can have something to better secure it from this issue and they can surely do something about it.

I see the reasoning of course with tablets being easier to access by those wanting to use DMA devices, its a mobile device but then again so are laptops and they have thunderbolt... logic just doesn't seem to add up here.

[vanished]

A lot of talk about how Microsoft should "fix" this, but unless I've very much misunderstood what DMA is, it's not a Windows feature and not within their control, it's just a name for how the hardware functions.  With this in mind, does the same fact (implications of DMA + thunderbolt) exist in macs as well?

[Morgan MLGman]

4 minutes ago, Ryan_Vickers said:

With this in mind, does the same fact (implications of DMA + thunderbolt) exist in macs as well?

I think so. If this function really does what its name implies and it's fundamental to how Thunderbolt operates, then I believe it exists in Macs as well. I don't think it's a big issue though, when someone has physical access to your device and can plug stuff into it, I think you've got bigger issues with your security than Thunderbolt...

[vanished]

Just now, Morgan MLGman said:

I think so. If this function really does what its name implies, then I believe it exists in Macs as well. I don't think it's a big issue though, when someone has a physical access to your device and can plug stuff into it, I think you've got bigger issues with your security than Thunderbolt...

True, I just find it ironic (if true) that they went so hard into thunderbolt, dropping other far more common ports in the process, meanwhile also going hard on encryption and other security features that do more to hurt the average user than actually protect them.

[Morgan MLGman]

Just now, Ryan_Vickers said:

True, I just find it ironic (if true) that they went so hard into thunderbolt, dropping other far more common ports in the process, meanwhile also going hard on encryption and other security features that do more to hurt the average user than actually protect them.

I agree. Also, who realistically needs Thunderbolt's bandwidth with a consumer-grade device? Latest USB standards are more than enough for pretty much anything over 99% of users need in a Surface or a MacBook Air for example...

[justpoet]

Thunderbolt doesn't have to have unfettered access, despite having DMA.

Also, most all network cards/chips have forms of DMA too.

 

This is completely not about security, but about cost and not having a real use for thunderbolt over USB in a relatively slow machine.

[piemadd]

2 hours ago, wanderingfool2 said:

You missed the first sentence of the quote.

So how is MS supposed to fix DMA if it bypasses the OS...DMA devices are designed to be able to bypass OS items; which is why they have been dangerous for years.  The hardware itself is usually the one that needs to change, DMA devices in general provide a more open window for attack. (Just like how firewire on Macs for a while allowed you full access).  DMA devices are just more dangerous.

 

In my opinion though, this just seems like an excuse.  Soldered ram and no thunderbolt on consumer laptops to me just says they are making excuses why they won't put it in.

 

 

*please note i am a security researcher*

 

*Laughs in "Im about to hack a mac and theres nothing they can do about it"*

[Thaldor]

46 minutes ago, justpoet said:

Thunderbolt doesn't have to have unfettered access, despite having DMA.

Also, most all network cards/chips have forms of DMA too.

 

This is completely not about security, but about cost and not having a real use for thunderbolt over USB in a relatively slow machine.

Network cards and other parts with DMA access are usually PCI(e) parts and aren't as dangerous as a port in the case. Even today FireWire is known as the biggest hole in encryption because all it takes is to plug RAM-dump FireWire-device and all your encryption keys are in the hands of someone else. And those FireWire-dumpers were very common and I wouldn't be surprised if there's already ones for Thunderbolt in development for law enforcement (after they get it, it's only question of how fast others get them).

[StDragon]

Allow me to ask the question a different way. How did Apple solve the issue; or didn't they?? If the MacBook contains a T1 or T2 chip, it should be a non-issue for OSX using Secure Enclave. No?

[StDragon]

3 hours ago, Likwid said:

But why no bigger ram options?

Because MS doesn't offer it. See, that's the problem with ultralight computers; the RAM is baked on the MB. In some rare cases, so is the SSD.

 

When you choose your upgrade options such as CPU, RAM, and sometimes GPU at checkout with an ultralight, it's really just a MB SKU filter. So yeah, there could be a lot of permutations in MBs just for one laptop. Crazy I know, but there you have it!