A set of vulnerabilities related to Thunderbolt connectivity leave most Mac systems released in the past several years susceptible to malicious exploits, according to researchers who presented the data at the Network and Distributed Systems Security Symposium in San Diego earlier this week.
Dubbed "Thunderclap," the collective vulnerabilities take advantage of how Thunderbolt works, and specifically the privileged, low-level direct memory access (DMA) it affords. The way Thunderbolt is constructed, peripherals have more privileges than regular USB devices.
"If no defenses are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system," the researchers explain.
There is a defense component available called the Input-Output Memory Management Unit (IOMMU), which theoretically restricts a device's access to only the memory needed to do a particular job. Windows 7, Windows 8, and Windows 10 Home and Pro don't support IOMMU, and while Linux and FreeBSD do, support is not enabled by default. Out of the OSes studied, only macOS uses IOMMU out of the box.
That said, there remains "significant further vulnerabilities" that are not protected by IOMMU. As a proof-of-concept, the researchers built a fake network card that is capable of interacting with the OS in the same way a real one.
"We found the attack surface available to a network card was much richer and more nuanced than was previously thought...On macOS and FreeBSD, our network card was able to start arbitrary programs as the system administrator, and on Linux it had access to sensitive kernel data structures. Additionally, macOS devices are not protected from one another, so a network card is allowed to read the display contents and keystrokes from a USB keyboard," the researchers said.
On the bright side, Apple in 2016 fixed the specific vulnerability that the researchers used to gain administrative access in macOS, but the researchers say "the more general scope of such attacks remain relevant."
Whether you use Thunderbolt devices or not, be careful of what you're plugging into your system.