Macs, PCs Vulnerable to Thunderbolt Hack: What to Do

If you use the Thunderbolt ports on your Mac, Windows PC or Linux box, be very careful about what you plug into them.

Credit: Thunderclap.io

(Image credit: Thunderclap.io)

At the Network and Distributed System Security Symposium in San Diego yesterday (Feb. 26), academic researchers revealed a wide-ranging, deep-rooted set of vulnerabilities that lets malicious devices get full control of machines via their Thunderbolt ports.

Dubbed "Thunderclap," the flaws let attackers steal sensitive data such as passwords, encryption keys or financial information, or run malicious code on the system. The best Mac antivirus software and other traditional protections won't help.

"All Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook," the researchers write in a FAQ  explaining the flaws. "Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected."

For the moment, the most prudent thing to do is to disable Thunderbolt protocols in your computer's BIOS or UEFI settings, if you know how to do that. Otherwise, don't plug any device you don't control into your Thunderbolt ports, even USB-C chargers or projectors or someone else's phone that might need a charge.

MORE: Best Antivirus Software

The Thunderbolt protocol, developed by Apple and Intel, lets USB-C and Mini DisplayPorts transmit power and video as well as data. You can often spot designated Thunderbolt ports on a Mac or PC by the tiny lightning-bolt icon printed next to them.

Thunderbolt is what lets newer MacBooks charge their own batteries, connect to outboard displays and transmit data to peripherals from a single port. PCI Express cards can also use Thunderbolt, but a PC's firmware would need to be tampered with before a Thunderclap attack from a PCI-E card would work.

To do all those things, the Thunderbolt protocol has deep access to the computer's inner workings, much more than regular ports, such as USB, have. Specifically, Thunderbolt peripherals get direct memory access (DMA), the ability to write directly to a PC's running memory without going through the operating system. That creates an opportunity for malicious hackers.

"Thunderbolt can allow potentially malicious devices to hotplug into a running machine and obtain direct memory access," the Thunderclap FAQ states. "Furthermore, the confusion of power, video, and DMA facilitates the creation of malicious charging stations or projectors that take control of connected machines."

PC makers can beef up Thunderbolt security somewhat with features called input-output memory management units (IOMMUs), but IOMMUs slow down Thunderbolt speed and are hence disabled by default on Windows (from Windows 10 1803 onward) and Linux machines.

Macs have IOMMUs turned on, but the researchers found that Apple's implementation of IOMMUs only partly shielded against attacks. In any case, even PCs and Linux boxes with IOMMUs enabled are still vulnerable to Thunderclap.

The researchers, from the University of Cambridge, Rice University, and SRI International, told the PC makers about the Thunderclap problems nearly three years ago, and the PC makers have been trying secretly to mitigate it ever since. Clearly, they haven't been completely successful.

This isn't the first security problem involving Thunderbolt ports. In 2014, a researcher developed proof-of-concept malware called Thunderstrike that could leap from one Mac to another using Thunderbolt devices. That flaw was fixed with an update to Mac OS X 10.10 Yosemite. A second version called Thunderstrike 2 followed in 2015, but was also quickly shut down by Apple.

If you'd like more information about Thunderclap, a more detailed blog posting is here and academic papers are here and here. Software and schematics for creating your own Thunderclap hacking device are on Github.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.