Thunderclap security flaw
Thunderclap is putting computers at risk from peripheral devices such as network cards, storage and graphics cards, and even chargers and video projectors. The flaws is in the Thunderbolt hardware interface developed by Intel and Apple, that allows external peripherals to a computer. And they pose a risk, according to researchers from the University of Cambridge, Rice University and SRI International. These vulnerabilities allow a hacker with physical access to a Thunderbolt port to compromise a machine in seconds, running arbitrary code at the highest privilege level and gaining access to passwords, banking logins, encryption keys, private files, browsing and other data.
Thunderbolt is widely used and affects a range of computers with Thunderbolt ports running Windows, macOS, Linux and FreeBSD. It also affects many other laptops and an increasing number of desktops, especially those produced since 2016. Thunderbolt 3 is often supported via USB Type C ports on modern laptops. Machines with older versions of Thunderbolt via Mini DisplayPort connectors are also affected.
The Thunderclap vulnerabilities allow hackers to get around protection by taking advantage of peripherals' direct memory access, or DMA. Network cards and GPUs have traditionally been trusted parts of a computer system, using DMA to read and write all of system memory without operating system oversight. DMA allows peripherals to bypass operating system security policies, and DMA attacks abusing this access have been widely used by hackers and the intelligence community to take control of and steal data from target machines. This means passwords, banking logins, private files and browser activity are all exposed, and a hacker can inject any code they wish onto your machine.
To mitigate those kinds of attacks, a set of protections has been added to modern machines, known as input-output memory management units or IOMMUs, these allow the operating system to block all memory access from unrecognized devices and only allow access to non-sensitive regions of memory. The problem with IOMMU protection is that it is often turned off by default because it impacts performance. Another issue stems from the fact that current operating systems also put sensitive data in the same regions of memory used for peripheral device communication, which facilitates attacks even when the IOMMU is enabled.
A hacker can exploit the vulnerabilities by tricking users to connect a malicious device. This is made easier since Thunderbolt devices communicate via PCI Express protocol, which allows legitimate devices to be trojanized and which supports hot plugging. It has been shown that it's possible to swap out a PCI Express device for another without causing Thunderbolt authentication to notice that the device internals have been replaced. This means a hacker can buy a device and make modifications to it without Thunderbolt being aware that anything is different about it.
In macOS 10.12.4 and later, Apple fixed the specific network card vulnerability. Microsoft enabled support for the IOMMU for Thunderbolt devices in Windows 10 version 1803, which shipped in 2018. Earlier hardware upgraded to 1803 requires a firmware update from the vendor.