Newly discovered Thunderclap vulnerabilities found affecting Windows, Mac and Linux systems

• Thunderclap is a collection of flaws that reside in the Thunderbolt hardware interface.
• According to researchers, all the versions of Thunderbolt (from v1 to v3) are impacted by the Thunderclap flaws.

Researchers have discovered a new vulnerability that affects Windows, Mac, Linux and FreeBSD systems. Dubbed as ‘Thunderclap’, the vulnerability was disclosed at the NDSS 2019 security conference. Thunderclap is a collection of flaws that reside in the Thunderbolt hardware interface.

What is Thunderbolt - Thunderbolt is a hardware interface designed by Apple and Intel. It allows the connection of external peripherals such as keyboards, chargers, video projectors etc. with a computer. These interfaces are widely deployed because they combine different capabilities - such as the ability to transmit DC power, serial data and video output - into one single cable.

According to researchers, all the versions of Thunderbolt (from v1 to v3) are impacted by the Thunderclap flaws.

Impact of Thunderclap flaws - The Thunderclap flaws affect all the Apple laptops and desktops that were produced after 2011, with the exception of the 12-inch MacBook. The flaws also impact many Windows and Linux systems produced since 2016.

The Thunderclap vulnerabilities allow attackers to take advantage of Direct Memory Access (DMA) to get around the protection mechanisms preventing attacks. They can enable attackers to create malicious and fully-working peripherals, which when connected via a Thunderbolt, can run malicious code in the operating system’s background.

The Thunderclap vulnerabilities are even capable of bypassing an OS security feature known as Input-Output Memory Management Units (IOMMUs). The reason why these vulnerabilities are able to work against IOMMU is either because operating systems have disabled this feature by default or in cases the feature has been enabled by the user.

The IOMMU was created in the early 2000s to counter malicious peripherals that try to gain access to the entire OS memory.

What has been done till now - The Thunderclap issue was discovered back in 2016 by researchers from the University of Cambridge, Rice University and SRI International. Since then, they have been working with hardware and OS versions to have them fixed.

Mitigations - Here is the current state of patches for different operating systems for these flaws:

Windows - Microsoft has enabled support for the IOMMU for Thunderbolt devices in Windows 10 version 1803. Earlier hardware upgraded to 1803 requires a firmware update from the vendor.

macOS - Apple has addressed the issue in macOS 10.12.4 and later version. “However, the general scope of our work still applies; in particular that Thunderbolt devices have access to all network traffic and sometimes keystrokes and framebuffer data,” said the researchers in a report.

Linux - Intel has released patches to version 5.0 of the Linux kernel. The version enables the IOMMU for Thunderbolt and prevents the protection-bypass vulnerability.

FreeBSD - The malicious peripheral devices of FreeBSD systems are not currently within the threat model. Researchers claim that FreeBSD does not currently support Thunderbolt hotplugging.

In the meantime, users are also advised to disable Thunderbolt ports via BIOS/UEFI firmware settings and to avoid plugging in peripherals from unknown sources.