Security researchers at the Network and Distributed Systems Security Symposium in San Diego are announcing the results of some fascinating research they’ve been working on. They “built a fake network card that is capable of interacting with the operating system in the same way as a real one” and discovered that
Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system.
Vendors have been gradually improving firmware and taking other steps to mitigate these vulnerabilities, but the same features that make Thunderbolt so useful also make them a much more serious attack vector than USB ever was. You may want to consider ways to disable your Thunderbolt drivers unless you can be sure that you can prevent physical access to your machine.
I’ve got a very strong sense of deja-vu here. These weaknesses with thunderbolt ports were well known in the past. Thunderbolt is essentially an external link to the system bus.
The solution back at the time was to add access controls via IOMMU…big surprise , they got it wrong:
Thunderbolt’s lack of a separate DMA controller between the bus and peripherals helps reduce components, but allowing peripherals to initiate DMA transfers to RAM of their choosing was a recipe for disaster. With some work, IOMMU helps to tame it, but I’m quite astonished this design got the green light in the first place. Peripherals have no business being a bus master and poking into computer memory addresses. Think about how that’s supposed to work in the normal case for a second: a driver on the hosts allocates memory for a buffer and then passes this as a pointer to the peripheral. The peripheral, say a thunderbold drive, is then expected to read/write directly into host ram at the address it was told to use. Simple? Yes. Secure? Not at all, thunderbolt simply trusts that peripherals are using the addresses they were told to use.
An SATA drive, by contrast , doesn’t know about host memory. Rather it’s the SATA controller on the motherboard that performs the DMA such that all transfers are enforced by the operating system. Same for USB.While it’s possible for there to be other vulnerabilities in these subsystems, thunderbolt is notable because it is extremely vulnerable by design. Up until IOMMUs it’s security was based entirely on trust and based on the author’s findings it’s still remains vulnerable.