No fewer than seven serious Thunderbolt security flaws have been discovered, affecting machines with both standalone Thunderbolt ports and the Thunderbolt-compatible USB-C ports used on modern Macs.

The flaws allow an attacker to access data even when the machine is locked, and even when the drive is encrypted …

The vulnerabilities are present in all machines with Thunderbolt/Thunderbolt-compatible USB-C ports shipped between 2011 and 2020.

Security researcher Björn Ruytenberg found seven vulnerabilities in Intel’s Thunderbolt chips, and nine ways to exploit them.

1. Inadequate firmware verification schemes

2. Weak device authentication scheme

3. Use of unauthenticated device metadata

4. Downgrade attack using backwards compatibility

5. Use of unauthenticated controller configurations

6. SPI flash interface deficiencies

7. No Thunderbolt security on Boot Camp

There is no way to detect that a machine has been compromised.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

Macs are fully vulnerable to all of the Thunderbolt security flaws when running Bootcamp, and ‘partly affected’ when running macOS.

MacOS employs (i) an Apple-curated whitelist in place of Security Levels, and (ii) IOMMU virtualization when hardware and driver support is available. Vulnerabilities 2–3 enable bypassing the first protection measure, and fully compromising authenticity of Thunderbolt device metadata in MacOS “System Information”. However, the second protection measure remains functioning and hence prevents any further impact on victim system security via DMA. The system becomes vulnerable to attacks similar to BadUSB. Therefore, MacOS is partially affected.

Further details of the Mac vulnerabilities can be found below.

Ruytenberg informed both Intel and Apple of his discoveries, but says that as the Thunderbolt security flaws are present in the controller chips, there is no way to fix the vulnerabilities via a software update.

Below is a description of how the vulnerabilities can be exploited on a Mac running macOS. This is essentially performed by fooling the Mac into thinking the attack kit is an Apple-approved Thunderbolt accessory.



3.4 Exploitation scenarios for vulnerabilities 2-3, 7 on Apple Mac systems

3.4.1 Cloning an Apple-whitelisted device identity to an attacker device (MacOS) 4

Threat model

We assume an “evil maid” threat model, in which the attacker exclusively has physical access to a victim system. The system is in a locked (S0) or sleep (S3) state, while running MacOS.

Preparation

1. Acquire a MacOS-certified Thunderbolt device.

2. Disassemble the MacOS-certified device enclosure. Obtain the firmware image from the Thunderbolt controller’s SPI flash of the MacOS-certified device.

3. Disassemble the attacker device enclosure. Obtain the firmware image from the Thunderbolt controller’s SPI flash of the attacker device.

4. Connect the MacOS-certified device to the attacker system. On the attacker system, using e.g. tbtadm on Linux, obtain the UUID of the MacOS-certified device.

5. Locate the DROM section by searching for the string DROM in the attacker device firmware image. Figure 6 depicts the DROM data structure. Using the figure as a reference, locate the appropriate offsets and replicate the MacOS-certified device UUID.

6. Compute uid crc8 and replicate the value at the appropriate offset.

7. Write the image to the attacker device SPI flash.

Procedure

1. Connect the attacker device to the victim system.

Verification

1. Observe that the victim system identifies the attacker device as being a MacOS-certified device. Figure 2 demonstrates an example scenario, showing a forged Thunderbolt device identity in the MacOS “System Information” application.



Intel commented:

In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.

DOWNLOAD

System Requirements:
10.9.4 and later

This update improves reliability when connecting devices to the Apple Thunderbolt Display, and addresses a rare issue that may cause the display to go black.

Πραγματικότητα γίνονται πλεον τα οπτικά καλώδια που θα χρησιμοποιηθούν για την γνωστή τεχνολογία γρήγορης διαμεταγωγής δεδομένων, Thunderbolt, κάτι που είχε αρχικά ειπωθεί πριν από ένα χρόνο, όταν η κυκλοφορία τους και η έλευσή τους στα ράφια των καταστημάτων δεν αποτελούσαν κάτι περισσότερο από φήμες.

Η μετάβαση στα συγκεκριμένα καλώδια οπτικών ινών θα έχει πολλά πλεονεκτήματα, κυρίως όμως θα προσφέρει γρηγορότερες ταχύτητες μεταφοράς δεδομένων που μπορεί να αγγίξουν ακόμη και τα 100Gbps αλλά και μεγαλύτερα καλώδια σε μήκος (έως και 30 μέτρων).

Αυτή τη στιγμή στην αγορά κυκλοφορούν καλώδια χαλκού που η ταχύτητα περιορίζεται στα 10Gbps και το μήκος του καλωδίου στα 3 μέτρα. Η Sumitomo Electric Industries, ισχυρίζεται ότι είναι η εταιρεία που η Intel έχει πιστοποιήσει και εμπιστευθεί επισήμως το δύσκολο έργο της μαζικής παραγωγής καλωδίων οπτικών ινών για την τεχνολογία Thunderbolt.

Το σίγουρο είναι ότι και άλλες εταιρείες θα ακολουθήσουν ενώ η άφιξή τους στα ράφια των καταστημάτων αναμένεται να λάβει χώρα μέσα στο 2013. Άγνωστη παραμένει προς το παρόν η τιμή τους αλλά αναμένεται να είναι αρκετά υψηλότερη σε σχέση με αυτή των καλωδίων χαλκού.

Άλλωστε ένας λόγος που τα καλώδια Thunderbolt κοστίζουν, είναι ότι αυτά έχουν εξειδικευμένα ηλεκτρονικά chips στο εσωτερικό τους, που η παραγωγή τους είναι αρκετά δαπανηρή. Η Intel από την μεριά της υπόσχεται να μειώσει τα κόστη με την διάθεση νέων controllers μέσα στο 2013.

Ένα μειονέκτημα των ινών είναι ότι δεν θα μπορούν να μεταφέρουν ηλεκτρικό ρεύμα. Δεν αποκλείεται να δούμε στο μέλλον και την πρόταση μιας υβριδικής λύσης που θα κάνει εφικτή την μεταφορά ενέργειας αλλά και δεδομένων μέσα από τα συγκεκριμένα καλώδια.

DOWNLOAD

Version: 1.1
Post Date: Nov 27, 2012
Download ID: DL1612
File Size: 442 KB
System Requirements
▪ OS X Lion 10.7.4 or later

About Thunderbolt Firmware Update v1.1

This update addresses an issue with MacBook Pro (mid 2012) and some Thunderbolt cables that may prevent bus-powered Thunderbolt devices from functioning properly.