Dongle Danger: Operating Systems Don't Defend MemoryResearchers Say Connecting to USB 3 Devices Could Lead to Data Theft
Windows, MacOS and Linux operating systems don't sufficiently protect memory, making it possible for a fake network card to sniff banking credentials, encryption keys and private files, according to new research.
The weaknesses, collectively called Thunderclap, highlight a new class of threats posed by malicious peripherals. The research has been in the works since 2016, and Apple is one of several vendors that have issued software updates as a result.
The work focused on the Thunderbolt 3 data transfer standard over USB Type-C connectors. Although operating systems are supposed to only allow a peripheral to have direct memory access for the resources it needs, researchers found that this defense isn't implemented effectively to prevent data theft. The research also covered PCI Express, or PCIe, an older set of device connection and data transfer protocols.
Stealing data this way would require physical access to a device. "The combination of power, video and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines," the researchers write.
The research paper from the University of Cambridge, Rice University and SRI International was presented on Tuesday at the Network and Distributed Systems Security Symposium in San Diego. It was co-authored by A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore and Robert N.M. Watson.
Memory Defenses Down
In contrast to regular USB ports, USB-C ports have higher privileges and low-level access to a device. To guard against malicious access, the Input-Output Memory Management Unit, or IOMMU, acts as a gatekeeper for access to the memory.
But the researchers found most systems don't use IOMMU out of the box except for MacOS. Linus and FreeBSD support it, but it is not enabled by default. The Home and Pro versions of Windows 7, 8 and 10 don't support it. The enterprise version of Windows 10 "can optionally use it, but in a very limited way that leaves most of the system undefended," they write.
"This state of affairs is not good, and our investigations revealed significant further vulnerabilities even when the IOMMU is enabled," according to the researchers.
The testing involved creating a fake network card that interacted with operating systems the same way as a real one. The researchers extracted a software model of an Intel E1000 network adaptor from the QEMU open-source system emulator and ran it on a field-programmable gate array.
Then the researchers observed what the fake network card could see, which disturbingly included plaintext data over a VPN and traffic from Unix domain sockets.
On MacOS and FreeBSD, it was possible to start arbitrary programs as a system admin. On MacOS, the fake card could read keystrokes coming from a USB keyboard. On Linux, it had access "to sensitive kernel data structures," the researchers write. "Worst of all, on Linux, we could completely bypass the enabled IOMMU simply by setting a few option fields in the messages that our malicious network card sent."
Fixes in the Pipeline
The research has been ongoing since 2016, and vendors have been issuing mitigations. But the researchers warn the newly discovered risk represents a new space of vulnerabilities, and others may lurk.
"We believe that all operating systems are vulnerable to similar attacks and that more substantial design changes will be needed to remedy these problems," the researchers write. "We noticed similarities between the vulnerability surface available to malicious peripherals in the face of IOMMU protections and that of the kernel system call interface, long a source of operating system vulnerabilities."
In 2016, Apple fixed a vulnerability that the researchers had exploited to gain administrator access in MacOS version 10.12.4.
Improvements for Windows also have been made. For laptops that ship with Windows 10 version 1083, IOMMU is enabled within a feature called Kernel DMA Protection for Thunderbolt 3, the researchers note. But the protection doesn't extend to PCIe. Older Windows machines that ship before version 10833 are still vulnerable.
Intel has also developed Linux patches to turn on IOMMU for Thunderbolt devices, which will be wrapped into the forthcoming 5.0 Linux kernel.
But until there's a more uniform implementation across operating systems for IOMMU, the advice from the researchers is familiar: "We advise users to update their systems and to be cautious attaching unfamiliar USB-C devices to their machines - especially those in public places."