Major Thunderbolt security flaw found in Macs and PCs
- 12 May, 2020 06:04
Security researcher Björn Ruytenberg with the Eindhoven University of Technology recently published a report detailing a series of serious security vulnerabilities in Thunderbolt 2 and Thunderbolt 3, collectively called 'Thunderspy'.
They affect every single computer with a Thunderbolt 2 or Thunderbolt 3 port, including old-style port connectors and new Type-C connectors, whether the computers are running Windows, Linux, or macOS.
How badly does this security flaw impact Mac users?
Seven Thunderspy vulnerabilities
Ruytenberg describes seven vulnerabilities in his paper. They are as follows.
Inadequate firmware verification schemes
Weak device authentication scheme
Use of unauthenticated device metadata
Use of unauthenticated controller configurations
SPI flash interface deficiencies
No Thunderbolt security on Boot Camp
It’s beyond the scope of this article to get into exactly what each of these mean and how they can be exploited to breach systems with Thunderbolt ports.
Just know this: Macs are only susceptible to vulnerabilities 2 and 3 when running macOS, and even then only partially so. Running Windows or Linux on a Mac using Boot Camp makes a user vulnerable to all of them.
How users could be hacked
The good news is that it would not necessarily be easy for a hacker to break into a Mac with these exploits. They have to have physical access to the computer and a prepared Thunderbolt hacking device.
These sorts of vulnerabilities are often called 'evil maid' threats. They require the attacker to have unimpeded and undetected access to a computer for at least a few minutes. It’s highly unlikely someone would be able to take advantage of these exploits if a user closed the lid of a MacBook and stepped away from it for a minute in a coffee shop.
The worst of these vulnerabilities can happen while a Mac is in sleep mode, but not while it is powered off.
Intel has issued a statement about these threats.
"In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these," the vendor stated. "This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled.
"Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorised physical access to computers."
The real worry here is for Boot Camp users. When in Boot Camp, Apple has the Thunderbolt controller set to security level “none” (SL0), which means a hacker with access to a computer running Boot Camp could easily access the contents of RAM or a hard drive, bypassing the lock screen.
For those running macOS, users must have updated to at least macOS 10.12.4. If users have, the practical dangers of the Thunderspy vulnerability are pretty narrow. If the version of macOS is older, a hacker with physical access to a Thunderbolt port could potentially copy contents of RAM or storage.
Even with a fully up-to-date macOS, a hacker could make a Thunderbolt device that copies the legitimate security ID of an officially supported device, and then use it to execute some port-based attacks similar to what hackers can do on USB ports. Those tend to be slow and limited in scope compared to directly accessing the contents of your RAM or storage.
What users should do
Ruytenberg has suggested a number of things Mac users can do to help protect themselves:
Connect only to their own Thunderbolt peripherals. Never lend them to anybody
Avoid leaving the system unattended while powered on, even when screen locked
Avoid leaving Thunderbolt peripherals unattended
Ensure appropriate physical security when storing the system and any Thunderbolt devices, including Thunderbolt-powered displays
Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM)
If users use Boot Camp to run Windows or Linux on a Mac, make sure it is powered down whenever it's unattended. If they're just running macOS, make sure they have updated to the latest version of macOS, and exercise the same precautions about Thunderbolt devices as they should about USB devices.
If users don't know where a Thunderbolt device has been, don't plug it into the Mac, and don't leave the Mac turned on (even if locked) and unattended where people can access it.
Should users be worried?
Most Mac users should not be terribly concerned about this particular security vulnerability. If a macOS install isn't way out of date and the user is practicing good physical security they don't have a lot to fear from this avenue of attack.
Remote attacks that use Wi-Fi or Bluetooth, or attempt to infect a computer with software downloaded over the Internet, are vastly more common than attacks like these that require physical access to a computer.
Users who run Boot Camp, especially in public places, should be particularly careful. When running Windows or Linux via Boot Camp, the Thunderbolt port on a Mac is more or less wide open.
We can probably expect Apple to issue a software update to make Boot Camp more secure in the near future. If users have to use Boot Camp, they should fully shut down their Mac whenever they leave it unattended.