information on in Thunderbolt-enabled equipment, codenamed and bypassing all major Thunderbolt security features. Based on the identified problems, nine attack scenarios are proposed that are implemented when the attacker has local access to the system through the connection of a malicious device or manipulation of the firmware.
Attack scenarios include the ability to create identifiers for arbitrary Thunderbolt devices, clone authorized devices, random access to system memory via DMA, and override security level settings (Security Level), including completely disabling all protection mechanisms, blocking the installation of firmware updates and translating the interface to Thunderbolt mode on systems limited to USB or DisplayPort forwarding.
Thunderbolt is a universal interface for connecting peripherals that combines PCIe (PCI Express) and DisplayPort interfaces in one cable. Thunderbolt was developed by Intel and Apple and is used in many modern laptops and PCs. PCIe-based Thunderbolt devices are provided with direct memory access I/O, which poses the risk of DMA attacks to read and write all system memory or capture data from encrypted devices. To prevent such attacks, Thunderbolt introduced the concept of security levels (Security Level), which allows the use of only devices authorized by the user and uses cryptographic authentication of connections to protect against forgery of identifiers.
The identified vulnerabilities make it possible to bypass such binding and connect a malicious device under the guise of an authorized one. In addition, it is possible to modify the firmware and transfer SPI Flash to read-only mode, which can be used to completely disable security levels and prohibit firmware updates (utilities have been prepared for such manipulations и ). A total of seven issues were disclosed:
- Use of inadequate firmware verification schemes;
- Using a weak device authentication scheme;
- Loading metadata from an unauthenticated device;
- The presence of backward compatibility mechanisms that allow the use of rollback attacks on ;
- Using configuration parameters of an unauthenticated controller;
- Flaws in the interface for SPI Flash;
- Lack of level protection .
The vulnerability affects all devices equipped with Thunderbolt 1 and 2 (Mini DisplayPort based) and Thunderbolt 3 (USB-C based). It is not yet clear if the problems are manifested in devices with USB 4 and Thunderbolt 4, since these technologies have only been announced and there is no way to check their implementation yet. Vulnerabilities cannot be fixed by software and require reworking of hardware components. At the same time, for some new devices, it is possible to block some of the problems associated with DMA using the mechanism , support for which began to be implemented starting from 2019 ( in the Linux kernel, since release 5.0, you can check the inclusion through "/sys/bus/thunderbolt/devices/domainX/iommu_dma_protection").
A Python script is offered to check your devices , which requires running as root to access DMI, ACPI DMAR, and WMI. As a precautionary measure to protect vulnerable systems, we recommend that you do not leave the system unattended on or in standby mode, do not connect third-party Thunderbolt devices, do not leave or give your devices to strangers, and ensure that your devices are physically protected. If Thunderbolt is not needed, it is recommended to disable the Thunderbolt controller in UEFI or BIOS (may result in USB and DisplayPort ports not working if they are implemented through a Thunderbolt controller).
Source: opennet.ru