Thunderclap Vulnerability Affects Peripheral Devices

Hackers have weaponized peripheral devices to launch their attacks. The vulnerabilities dubbed, Thunderclap, have been spreading, affecting Apple devices exploits Apple’s Thunderbolt.

The Thunderbolt is a hardware port created in collaboration with Apple and Intel to allow external peripherals to connect to Apple devices.

The vulnerabilities were found by a team of researchers from University of Cambridge, Rice University, and SRI International. According to them, the flaws affect laptops and desktops made by Apple since 2011, expect for the 12-inch MacBook. Further, Windows and Linux systems released since 2016 that support USB Type-C ports are also be affected.

The Thunderclap flaws exist because of the design and implementation of the Thunderbolt port. Hackers take advantage of the OS design which allows any newly connected peripheral access to the direct memory access (DMA) on devices. Malicious actors design malicious peripherals that when connected to the Thunderbolt run normally but also run malware in the background. Thus, gaining access to private data, files, passwords, banking logins, and web history without any restrictions. Additionally, attackers can inject any malicious code into the users’ machines.

The malicious peripherals are built with compromised PCI Express plug in cards or chips that are soldered to the motherboard.

Further, the vulnerability goes undetected by older security features implemented in the early 2000s by Apple. The feature, input-output memory management units (IOMMUs), stops malicious peripherals from accessing the OS memory. The malware is able to pass the security features because the operating systems automatically disable the feature.

Researchers notified vendors of the vulnerabilities in 2016 and worked alongside them to fix them. Vendors have begun addressing the vulnerabilities and have released security updates. Microsoft has issued IOMMU with all devices shipped with Thunderbolt ports since 2018. Any Microsoft devices released with USB-C before 2018 should be upgraded to the latest firmware. To protect yourself from Thunderclap it is crucial to install these updates. Users should be also be wary when leaving their devices unattended in public spaces and when connecting unknown devices to the Thunderbolt port.

The team of researchers stated:

“In macOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to achieve a root shell. However the general scope of our work still applies; in particular that Thunderbolt devices have access to all network traffic and sometimes keystrokes and framebuffer data….. however the more complex vulnerabilities we describe remain relevant.”


If your organization was compromised contact LIFARS today