Thunderclap Vulnerability Impact On USB-C and Display Port And Allows To Exploit Thunderbolt Interface.
The Thunderclap vulnerability was discovered by a security researchers at University of Cambridge Computer Laboratory and led by Theo Markettos, senior researcher.
What is Thunderclap Vulnerability?
Thunderclap, the vulnerability enables hackers to exploit the privileged direct- memory access (DMA) provided via the Thunderbolt connection to access the targeted device.
Thunderbolt is the brand name of a hardware interface developed by Intel (in collaboration with Apple) that allows the connection of external peripherals to a computer.
Thunderbolt combines PCI Express (PCIe) and DisplayPort (DP) into two serial signals, and additionally provides DC power, all in one cable. Up to six peripherals may be supported by one connector through various topologies.
What is in the Research?
“We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak,” said Markettos in its research paper.
“The primary defence is a component called the Input-Output Memory Management Unit (IOMMU), which, in principle, can allow devices to access only the memory needed to do their job and nothing else. However, we found existing operating systems do not use the IOMMU effectively.”
The researchers said that Windows Operating system version 7,8 and 10 home and pro don’t support IOMMU.
In computing, an input–output memory management unit (IOMMU) is a memory management unit that connects a direct-memory-access–capable I/O bus to the main memory.
We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets. To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
Researchers found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn’t supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine.
On MacOS and FreeBSD, our network card was able to start arbitrary programs as the system administrator, and on Linux it had access to sensitive kernel data structures. Additionally, on MacOS devices are not protected from one another, so a network card is allowed to read the display contents and keystrokes from a USB keyboard.
Worst of all, on Linux we could completely bypass the enabled IOMMU, simply by setting a few option fields in the messages that our malicious network card sent, said Theo Markettos.
Security researchers have also been working with vendors and helping them to audit their systems.