Submitted by Dubbed OMG Cables, these new variants are more capable than their counterparts. According to their creator, payloads can be triggered from over one mile away. Attackers can use them to log keystrokes and change keyboard mappings. There is also a geofencing feature, a kill switch and the ability to forge the identity of specific USB devices, like those that can leverage a specific vulnerability.
While it’s unlikely us random, generic people will ever be the target of tools like this, there’s no doubt in my mind they’re being used all over the world to monitor dissidents, spy on competing companies, and so on.
USB C is “generally” safe… however, type-C is not.
The same* cable can carry thunderbolt 3, which is essentially an external PCI device with DMA access. I think there have been some patches to address that, but one would not know whether those are applied on the current system.
And Apple famously hid an ARM based airplay server inside their video cables: https://panic.com/blog/the-lightning-digital-av-adapter-surprise/ . So instead of adding basic DisplayPort/VGA signals in the phones, they decided to provide extensive capabilities and responsibilities to the cable side.
So, even though plain old USB is generally safe, USB looking cables can be really dangerous. And this does not include plain old autorun attacks, or general vulnerabilities.
This could be “solved” by removing direct hardware access from cable protocols (probably requires throwing away lots of accessories), and the OS UI showing explicit list of devices detected, especially for new cables. (i.e.: “You have just plugged in a charger, network adapter, display and keyboard. Would you like to continue?” would be enough to throw of many attacks)
sukru,
Autorun attacks and driver vulnerabilities are the fault of the operating system. It’s not good, but at least those are OS vulnerabilities that can be fixed in the OS.
Yeah, unfortunately thunderbolt being incorporated into usb4 spec, this is introducing hardware vulnerabilities to USB-c ports and there are no great OS level mitigations. Thunderbolt was always bad for security by design because the DMA IO operations are performed by the peripheral, giving them access to system memory. An IOMMU is the official way to mitigate this, isolating the peripheral. IOMMU can be effective, but full isolation ends up loosing all the performance benefits of DMA by copying data through bounce buffers, which is very inefficient and completely defeats the performance benefits of thunderbolt in the first place. So drivers of various operating systems handle this differently, for example if I recall correctly the linux driver maps all networking devices into the same address space, so a thunderbolt network card can access all networking packets (including lo-loopback packets used by x windows and other daemons). It’s going to be necessary to for all drivers to make these compromises between performance and security. I wish they had fixed these issues before ratifying them in the usb specification. One solution would have been to move the the DMA controller out of the peripheral to the motherboard where it can be trusted, but they did not do this.
I’m not saying there’s never a reason to have an unsafe thunderbolt device, an eGPU is a good thunderbolt use case. You want an eGPU to be as functional as a regular internal GPU. It has a very good reason to use DMA for rapidly feeding execution units from userspace applications. An eGPU is generally something one purchases for themselves, you’re not generally swapping eGPUs with peers like we do with USB thumb drives/cameras/etc. You clearly do not want something like a camera or printer to have host memory access. The problem is now a user cannot tell whether the peripheral is capable of spying on the host or not because they all share the same physical usb-c connector.
Yes, they should have spent a bit more time on the design.
If feels like big companies and standards committees need to ask “what could possibly go wrong?” when they introduce a new design. We are no longer in the age where campus computers pass telnet traffic in plaintext, and security is an important concern.
It is not like Thunderbolt is a cheap standard either.
I am curious why you say USB-C is “generally” safe when there are a well known USB attacks. The Lightning cable attack above is a variation of an older USB attack.
Nor do USB attacks have to rely on OS vulnerabilities. They could simply snoop, or transmit the data being sent over the cable to be retrieved or analyzed at some other time, or inject malicious data into the data being transmitted.
USB doesn’t have to rely on DMA, but many USB controllers have it which opens up at least the possibility of a DMA attack, thought it wouldn’t be easy.
USB is inherently a pull based protocol, and various hacks that use the USB ports actually depend on other vulnerabilities (OS misconfiguration, unlocked workstation, unpatched drivers, bad drivers, bad hardware, etc).
For example: https://techcrunch.com/2014/12/18/this-little-usb-necklace-hacks-your-computer-in-no-time-flat/ can be stopped by just locking your workstation. No external keyboard / mouse can brute force a modern login screen.
And of course you can hack “downstream”. The cable can send keystrokes, and so can the keyboard. Raspberry Pi 400 fits an entire computer inside the keyboard. https://www.raspberrypi.org/products/raspberry-pi-400/. But again, you cannot hack *upstream* easily.
On the other hand Thunderbolt has/had DMA access initiated from the hardware. Which a very different kind of attack vector.
So explain how “(OS misconfiguration, unlocked workstation, unpatched drivers, bad drivers, bad hardware, etc).” are responsible for USB data snooping/modification attacks implemented in the cable?
I don’t think we need to get confrontational.
Once again, USB cannot be(*) used to attack upstream, but only downstream. Of course a cable can be used to snoop what goes through it. So can a modified hub, and so can the keyboard itself. There is nothing that protects any user from using a malicious hardware.
Even HDMI folks cannot prevent the signal to be snooped and extracted how much they try encrypt the traffic.
@sukru forgive me, I wasn’t trying to be confrontational. However if you acknowledge that there can be USB attacks, I don’t see how you can say USB is generally safe. Safety is far more of a binary that a gradation.
Also yes thunderbolt has more attack surfaces, but that is true of PCIe which is all Thunderbolt is (more or less).
jockm,
sukru is right though and the difference is pretty substantial. The USB protocol (up until now) does not provide peripherals with any means to access the host. A USB device can’t just start probing your system bus, it has to go through a driver which is programmed to interact with USB peripherals. Thunderbolt on the other hand connects to the system bus and has DMA capabilities. The assumption was always for thunderbolt devices to use this DMA capability to fill application buffers as requested, but it’s a bit of an honor system.
Consider a parallel analogy of people spending cash at a convenience store. USB is like having customers pay through a clerk. The clerk accesses the till and returns the appropriate change. You could do away with the clerk entirely and allow customers to access the till directly, this is more akin to what thunderbolt does. If everyone is honest (and error-free), then the results should be the same either way, but if someone is seeking to exploit the system, the USB approach is inherently far more secure than thunderbolt which relies on the honor system.
Yes, that’s a good way to look at thunderbolt, and that is why you should NOT be plugging in thunderbolt devices in public. The problem is that what used to be a relatively safe interface will share the same physical usb-c connector as a very unsafe interface going forward. Something as mundane as plugging in a mouse or public projector objectively exposes you to a much greater attack surface than before.
Alfman,
Thanks, that was a better explanation than mine.
jockm,
Sorry, maybe I misread the tone.
Lightning is the Apple version of Thunderbolt and it seems Microsoft is well aware of the risks:
https://www.windowscentral.com/leaked-video-shares-why-surface-devices-dont-support-thunderbolt
walid,
Yea, it’s been known for a long time in security circles. the flaws go back to firewire. Rather than fixing the fundamental security issues or denying insecure peripherals by default, they just keep adding mitigations while ignoring the underlying weaknesses.
IMHO, given that engineers know there are vulnerabilities, at the very minimum the user should be notified that the device might be able to access the system.
I mean they are also saying security is also the reason why the ram isn’t upgradable too according to that story…