Researchers have discovered a bug which impacts major operating systems, including Windows, macOS, Linux, and FreeBSD, allowing anyone to bypass protection mechanisms introduced to defend against DMA attacks.
Direct memory access (DMA) attack lets an attacker to compromise a targeted computer by plugging-in a device—such as an external network card, mouse, keyboard, etc—into Thunderbolt 3 port or USB-C port.
These attacks are possible because Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory.
By simply plugging in an infected device, created using tools like Interception, can manipulate the contents of the memory and execute arbitrary code with much higher privileges.
Most operating systems and devices leverage Input/Output Memory Management Unit (IOMMU) protection technique to control which peripheral device (usually legitimate) can access memory and which region of the memory.
ThunderClap Flaws Bypass IOMMU to Re-Enable DMA Attacks
Cybersecurity researchers from the University of Cambridge, Rice University, and SRI International has unveiled a set of new vulnerabilities in major operating systems that could allow attackers to bypass IOMMU protection.
“Our work leverages vulnerabilities in operating system IOMMU usage to compromise a target system via DMA, even in the presence of an IOMMU that is enabled and configured to defend against DMA attacks,” the researchers said.
Since IOMMU does not come enabled by default on most operating systems and since modern devices have USB-C, the attack surface of DMA attack has significantly increased which was earlier primarily limited to Apple devices with Thunderbolt 3 ports.
“The rise of hardware interconnects like Thunderbolt 3 over USB-C that combine power input, video output, and peripheral device DMA over the same port greatly increases the real-world applicability of Thunderclap vulnerabilities.”
“In particular, all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook. Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected – check whether your laptop supports Thunderbolt.”
How to Protect Against Thunderclap Vulnerabilities
Researchers have reported their findings to all major hardware and operating system vendors, and most of them have already shipped substantial mitigation to address the Thunderclap vulnerabilities.
“In macOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to achieve a root shell,” researchers said. “Recently, Intel has contributed patches to version 5.0 of the Linux kernel.”
“The FreeBSD Project indicated that malicious peripheral devices are not currently within their threat model for security response.”
Not all software patches can entirely block DMA attacks, users are still advised to install available security updates to reduce the attack surface.
Researchers also developed a proof-of-concept attacking hardware that can execute the ThunderClap vulnerabilities on targeted systems, but they chose not to release it in public at this time.