The Register® — Biting the hand that feeds IT

Feeds

Thunderbolt: A new way to hack Macs

Blind trust turned on by default

By Dan Goodin, 24th February 2011
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The 10Gbit/s interconnect Apple introduced Thursday in a new line of Macbook Pros may or may not change the way the world connects external hard drives and other peripherals to their computers. But it's safe to say the newfangled copper link likely contains the same security weakness that for years has accompanied another Mac innovation: the Firewire port.

Like Firewire, the Intel-designed Thunderbolt is based on a peer-to-peer design that assigns blind trust to any device that connects through the bi-directional, dual channel interface. According to security expert Robert Graham, that gives attackers yet another chink to exploit when targeting machines that offer the interconnect.

“Imagine that you are at a conference,” Graham, the CEO of security consultancy Errata Security, writes. “You innocently attach your DisplayPort to a projector to show your presentation on the big screen. Unknown to you, while giving your presentation, the projector is downloading the entire contents of your hard disk.”

Such attacks rarely work on USB ports because they are based on a “master-slave” design. That means the computer has full access to the attached device but the attached device has limited access to the computer. Firewire and now Thunderbolt, by contrast, have full access to a Mac's entire memory.

Lest this sound like so much theoretical mumbo jumbo, Graham offers this real-world anecdote from a recent penetration testing outing:

A company gave employees laptops that were secured using all the latest technology, such as encrypted boot disks and disabled USB ports. Users weren't given admin privileges. But the Firewire ports were open. We connected a device to the Firewire port on a laptop, and broke in with administrator access. Once in, we grabbed the encrypted administrator password (the one the owner of the laptop didn't know). We cracked it using L0phtcrack. That password was the same for all notebooks handed out by the company, so we now could log onto anybody's notebook. Worse -- that administrator account was also on their servers, so we could simply log into their domain controllers using that account and take control of the entire enterprise.

Because Thunderbolt has the same unrestricted access to the computer, Graham speculates it is vulnerable to the same types of attacks.

Intel processors offer the means to significantly rein in Thunderbolt by restricting a device's access to memory locations of the computer it's attached to. But as of now, there are no indications Mac OS X makes use of this.

“With the newer Intel processors, I think it would be pretty easy” to restrict Thunderbolt's memory access, Graham tells The Reg. “I don't see any problem why they can't do it.” ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (52)
Highly Rated
Anonymous Coward

Bit of a knee-jerk, there

The attack vector is a real concern - you do not expect it to be even physically possible for any display device to hack into the host computer.

In many presentation situations, the user doesn't even see the cable between projector and laptop - the presenter turns up, plugs the cable labelled "projector" into his computer and the image comes up on the screen so all is well. The cable usually goes into the wall/podium and vanishes from sight.

So anything could be in that data path. Anything at all - a PC running 'evil l33t hacker' tools, or a machine running legit image processing to put the image on multiple screens/projectors in some useful way.

Most of these users also need handholding for the "now enable external monitor" step, hence Windows 7 automatically enabling it in mirror mode (most of the time) these days.

With VGA, DVI-D and HDMI the back-channel is very small and limited purpose, though n HDMI and DVI the manufacturers considered the possibility of an image-processing machine and tried to make it impossible (bastards), while VGA's one-way (other than the ID/capabilities pins) so an intercept can only process the image data freely given, in a user-intended manner.

Users automatically think that a display is one-way, so won't even consider it an attack vector.

Therefore we do need assurances from Intel, Apple et al that a given fundamentally bi-directional 'display-plus-other-stuff' interconnect does have fundamental security - not just afterthoughts.

And by 'security', I don't mean the crap in HDMI preventing legitimate usage of your own data. I mean the ability of a user or IT dept to choose!

13
0
foo_bar_baz
Reply Icon

Hello, Elmer

Please add some citations or take some reading lessons.

So is this just a software bug? Does *any* operating system do "filtering" on FireWire? Reading up on the FireWire exploit it appears neither Apple nor Microsoft do. The article discusses VT-d explicitly in the Thunderbolt context. OS X doesn't use it.

They aren't "reprogramming the disk". The got the admin password.

Please point me to the article where they say USB OTG adds a remote DMA feature to USB. This is what I read:

"However, in some versions of USB (such as USB On-the-Go), the devices will negotiate who is to be master, and who is to be slave. We found a couple notebooks 6 years ago that could be broken into with USB this way."

Why do you think the exploit uses Mac Target mode? What does target mode have to do with this? This is about FireWire and Thunderbolt peripherals having full access to the host system's memory.

Quote: 'The reason this works is the trusting nature of the protocol. Your laptop sends a command across the wire saying "please write the data in my memory location XYZ". What the device on the other end is then supposed to do is send the data with an address of XYZ. But it does't have to. It can instead send data to address ABC. In other words, it can upload malware into the computer's memory and run it.'

Quote: "A hacker can walk up to your laptop while you are not looking, connect a device for a few seconds, disconnect it and walk away with your data (such as passwords). This works even when your laptop is "locked" with the password screen."

Doesn't seem like they are talking about rebooting the system in Target Mode.

Nice bunch of vague conjecture and straw men. Again, citations please.

10
1
da_fish27

"Hacking" macs

Macs, if you have physical targets, are pretty much the easiest hacking target ever, no need for FireWire or anything.

Shutdown, reboot, hold down command-S, get instant root.

11
2

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
132
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15