Feeds

back to article Thunderbolt: A new way to hack Macs

The 10Gbit/s interconnect Apple introduced Thursday in a new line of Macbook Pros may or may not change the way the world connects external hard drives and other peripherals to their computers. But it's safe to say the newfangled copper link likely contains the same security weakness that for years has accompanied another Mac …

COMMENTS

This topic is closed for new posts.

Page:

FAIL

Elmer, the FUD guy...

The problem he is alluding to is a bug in some software which leaves the firewire dma controller unfiltered. That is, requests go straight through it to the system memory. This mechanism, Remote DMA, is a feature of other external busses, such as IB.

It has nothing to do with USB's brain damaged asymmetry, nor does OTG add a remote DMA feature to USB. It is USBs requirement that software intercept every transaction that keeps it out of this trap; however most USB implementations are sufficiently buggy that you can find other ways to induce troubling behaviour.

As for reading the disk, you would either need to have the aforementioned flaw in your OS, and understand enough about the system layout in order to reprogram the disk to dump its contents. Possible, but a bit odd. Elmer is likely referring to something like "Target Mode", a feature of Mac Roms since the original 128K Mac. By holding down <magickey>-T at startup, the computer becomes a Target Mode disk. The terminology is left over from SCSI, and permits a handy way to setup a new machine based upon an older one; or recover a broken machine.

Target mode is, of course, subservient to the ROM password; but Elmer likely knew that too. His scenarios are pretty lame.

Keep up the good fact checking; soon you'll be on par with Fox.

12
16
Thumb Down

Hello, Elmer

Please add some citations or take some reading lessons.

So is this just a software bug? Does *any* operating system do "filtering" on FireWire? Reading up on the FireWire exploit it appears neither Apple nor Microsoft do. The article discusses VT-d explicitly in the Thunderbolt context. OS X doesn't use it.

They aren't "reprogramming the disk". The got the admin password.

Please point me to the article where they say USB OTG adds a remote DMA feature to USB. This is what I read:

"However, in some versions of USB (such as USB On-the-Go), the devices will negotiate who is to be master, and who is to be slave. We found a couple notebooks 6 years ago that could be broken into with USB this way."

Why do you think the exploit uses Mac Target mode? What does target mode have to do with this? This is about FireWire and Thunderbolt peripherals having full access to the host system's memory.

Quote: 'The reason this works is the trusting nature of the protocol. Your laptop sends a command across the wire saying "please write the data in my memory location XYZ". What the device on the other end is then supposed to do is send the data with an address of XYZ. But it does't have to. It can instead send data to address ABC. In other words, it can upload malware into the computer's memory and run it.'

Quote: "A hacker can walk up to your laptop while you are not looking, connect a device for a few seconds, disconnect it and walk away with your data (such as passwords). This works even when your laptop is "locked" with the password screen."

Doesn't seem like they are talking about rebooting the system in Target Mode.

Nice bunch of vague conjecture and straw men. Again, citations please.

10
1
Silver badge

@Steve McPolin re. IB and RDMA

I do not agree with your comparison between Firewire and Infiniband.

Let me say that I am not an Infiniband programmer, but I do support HPC systems using IB and RDMA. Having said that, I do understand, IMHO, a bit about how RDMA is implemented, at least on the UNIX systems I support.

RDMA is a way for a one-sided communication (amongst other things), that allows a system (A) to perform a memory operation in another system's (B) memory space without the involvement of the second system's OS. But that does not mean that the system B is completely divorced from the transfer process, nor does it mean that A has full, unrestricted access to B's memory.

Before an RDMA operation can be performed in IB on UNIX, system B has to set up a memory region, and also set up an access window to that region to allow system A to use it. System B is then given access to that region without B's involvement, but cannot (as long as there is no flaw in the HW/FW/SW stack) go outside that region.

This means that it is perfectly possible to have the benefits of RDMA without compromising the security of the entire OS, and if a long-term window is set up (say, for an HPC type workload that runs for some time and uses the window for many transfers), the involvement of the OS on B is limited to setting up the window at the beginning, and breaking it down at the end of it's use.

Now I do not know whether Thunderbolt has this ability, or if it has, whether it is configured and used in MacOS, but just because RDMA is available does not mean that the system is completely compromised.

From what I read about Firewire (and this is just from the Web), the default was that RDMA was turned on, and was not limited by default. This is really the flaw, and could almost certainly be addressed by careful system administration, but if you don't know what to fix, you won't do it. I have heard other stories from various Web resources that Firewire really did have this flaw, and that it could really be exploited by plugin hardware. Even if the quoted example illustrates flawed system administration, just think how much useful information can be gleaned from direct access to the memory of a system.

Unfortunately, the good ideas of the hardware engineers do not always match with the requirements of real-world environments. But you would have thought that someone in the driver design process would have gone "..Hang on a minute, don't you think that this is opens a security hole...", but then I have seen too little joined up thinking in large organizations recently. Too many people still think that a PC is personal.

I reserve my judgement on Thunderbolt until there is more information.

6
0
Silver badge

Re: FUD

Target disk mode is very similar to taking the hard drive out the laptop and connecting it to another computer as a second drive. It is well known that if you have physical access to a machine, you can access its contents, and you need to encrypt them to keep them safe.

3
0
Gold badge

@jonathanb

Yes it's true that with physical access to a device you usually can get into it.

If you are sitting near my laptop and start trying to take out the HDD, you will find yourself swallowing my fist, because I won't stand for it.

However, if I plug my laptop into a projector, how am I to know that it is virtually taking out the HDD? (By the way my laptop has full-disk encryption that requires the key before it even boots, but once it has the key, reading the disk is unencrypted)

4
0
Silver badge

@BristolBachelor

To use target disk mode, you need to reboot the machine and press Cmd-T at the EFI boot screen, then your macbook is working like a very expensive Firewire drive. You would not be able to do your presentations at the same time.

1
0
Ogi
Thumb Up

Excellent!

One thing I loved about Firewire was it's ability to do remote direct memory access (RDMA). In fact I used this for fast, low latency transfer from different machines.

It brought (for cheap) the ability to do RDMA, something that you'd have to shell out $$$$ for in the form of infiniband for HPC.

Coupled with the fact that I could transfer at high speed between two disks with no CPU usage, complete with daisy chaining. I felt it really was the superior standard compared to USB. I really missed it when USB "won" over FW (I still have a lot of FW400 equipment that I use).

So the idea that lightpeak might have provided us with a consumer grade equivalent to infiniband, with 10gb/s throughput. Something that gives all the benefits of FW, but with new tech.

I'm all for it! The security concerns are not a big deal (even with the old FW, you could disable remote DMA if it was a problem, rendering this attack useless). USB was a POS when was released (although good for it's original niche, which was replacing serial/parallel ports/ps2), let alone now.

7
2
FAIL

So let me get this right...

You attempted to make an article, and issue, out of what is likely a non-issue? Having a little experience with Firewire AND having read the scant details of the penetration I would guess that said laptops had Firewire networking enabled. Also, local admin account having the same credentials as the network admin account?! REALLY?! It sounds like this guy is trying to make a story & get some free PR out of nothing.

5
15
Thumb Down

Hello again, Elmer

So I should trust your "guess" over a security expert?

You've got "a little" experience with FireWire and you "would guess that said laptops had Firewire networking enabled". Well, guess what. You should read:

http://simonhunt.wordpress.com/2009/09/14/firewire-attacks-revisited/

Look at "Defending against this attack." Is there a point saying "disable Firewire networking"? I don't see one.

3
2
g e
Silver badge

Will you also build my website?

Hey Elmer -

I have a copy of the website here which my 12-year-old nephew has made in Word and he says it's very easy for you to turn it into a secure ecommerce-enabled multilingual site.

I can't pay you but I will tell everyone you did this and you will make lots of money from it

Thanks.

2
3
Troll

Guessing Games

"So I should trust your "guess" over a security expert?"

The "security expert" is guessing too. There isn't a single fact in this article, it's all speculation and FUD. Explains all the trolls, I suppose, they hate facts.

1
2
Silver badge
FAIL

Gimme a break

The TB cable limit is 3ft. If you can hack through that, you've got a lot more problems than an open port. Physical access to the box buys you a lot. Not much different from pulling the CMOS battery and resetting the BIOS password on a PC. Get real.

6
12
FAIL

lol

>Implying that you can actually reset a BIOS Password that is stored in NVRAM

Me thinks it's time to update that old bit of Iron down in your Basement man...

3
0
Go

Different attack

Different attack

If you reset the password nowdays it gets you nowhere. Most laptop disks are encrypted.

This is the equivalent to the "fake network adapter" PCMCIA card attack which was used by people with enough resources before the laptops stopped having anything but USB. You pretend to be a well known adapter for which the laptop has drivers for example Intel Ether Express Pro. Once the laptop enables the card you start using BDMA from the card side to copy all of the laptop RAM. Once done, unplug.

1
0
Anonymous Coward

Um...

Just because the cable limit is 1m doesn't mean you need physical access.

Just saying. Before anyone jumps down my throat I would like to point out I don't really have an opinion either way on this.

Seems a lot of folk are getting quite wound up about it though. It's almost as if they had some kind of emotional attachment to Apple products.

5
1
Bronze badge
Thumb Down

Physical access

Bear with me as it is friday afternoon, but....

"Just because the cable limit is 1m doesn't mean you need physical access"

Hows that gonna work?

Surely, if it's the port that casues the 'security hole' then you need to be plugged into said port to do any 'hacking'. In turn, being plugged into the port requires physical access.

Unless you are implying that you could compromise a device, and wait and hope for someone to come and connect to it?

Please correct me if i have missed some massively important part of the process which

"doesn't mean you need physical access"

0
0
Pint

Got it in one

>Unless you are implying that you could compromise a device, and wait and hope for someone to come and connect to it?

Pretty much. Only it wouldn't necessarily be a case of waiting and hoping. If you are contemplating an the sort of attack being discussed then chances are you have a specific target machine in mind, meaning you know where it's going to turn up.

But yeah, I was just pointing out that it's not impossible.

1
0
FAIL

Stupid article

"Oooh, oooh, i got an idea for an article to generate web traffic!"

"What is it?"

"Say that a new interconnect has a back door to allow unfettered access"

"Hmmm.. how do you think it would work?"

"Well, I've not seen the technology, nor have any idea how it works, but why does that matter?"

"You're right! Post it!"

Seriously, what a stupid article. No facts, not even a supposition of facts. If TB is strictly a tunnel for PCI-Express and DP, as is currently indicated, then how in the world can you assume it introduces a new back door?

Do you people even do any work other than cleaning the cheetos dust off your fingers before typing?

15
17

Cheeto dust?

Does anyone who knows the Register staff only from their postings and pictures actually imagine them washing their hands, let alone bathing?

1
0
Alert

When's the last time you connected random PCI Express kit?

PCI Express would have the exact same issue, except for one small detail: most people don't usually plug random untrusted hardware they don't own into your PCI Express slots. Now Thunderbolt has come along and potentially exposes PCI Express functionality - including the ability to take over your system - every time you plug in an external monitor or projector cable.

3
0

"Hacking" macs

Macs, if you have physical targets, are pretty much the easiest hacking target ever, no need for FireWire or anything.

Shutdown, reboot, hold down command-S, get instant root.

11
2
Bronze badge
Boffin

"Hacking" ? Surely you mean "Cracking"!

By default, true - you can change that though (force guy to enter root password).

You can also reset the root password with any Mac OS X DVD ...

But Windows is not that much harder with a livecd ...

Then again, physical access means your doomed anyway - unless you have good encryption.

1
1
FAIL

Yes...and squirrels riding deer on the street is a danger

I, for one, am going to stop driving.

And no more Macs for me. It just isn't worth the risk of having pictures of my kids captured by a projector modified by Chinese spies.

13
8
Thumb Up

Well I thought there was a point or two worth making

I dont pretent to fully understand the technical bits about memory access, although it seems that there is something which should be disabled (perhaps only partly) by default, and I'd have liked my attention drawn to this if I were to buy one for the company. Not every company can afford an IT person who is a properly qualified graduate with endless courses, some of us struggle along with limited knowledge due to factors beyond our control.

The issue about the common admin password is worth a mention. Its not Apple's fault, but its a significant weakness, for the very reason that its at more risk due to going out of the office, the one laptop we have here has a totally different password to either the admin network login or the local one (that is admittedly common) on the static PCs.

1
0
IT Angle

Can we stop calling it thunderbolt?

i know that apple have named it "thunderbolt" but its just gonna cause confusion, since its actually called/codenamed "Light Peak" by intel.

Here is 2 other reasons why the name should be dropped.

1. the name "thunderbolt" to me, reminds me of a youtube video of a bunch of larpers in some woods throwing bean bags at each other shouting "thunderbolt".... (bad enuff eh?)

2. the symbol to me looks like a hazard "do not touch - High voltage" warning sign. which is gonna cause confusion if say, i bought my grandma one. (me - "gran just stick the device into the thunderbolt socket!" Gran- "im not goin anywhere near that, i may get a shock! look its got a warning sign!")

0
1

Not Apple...

It turns out Intel rebranded it when they decided to go electrical....

http://forums.theregister.co.uk/forum/1/2011/02/24/intel_thunderbolt/

3
0
Joke

RE: Can we stop calling it thunderbolt?

"2. the symbol to me looks like a hazard "do not touch - High voltage" warning sign. which is gonna cause confusion if say, i bought my grandma one. (me - "gran just stick the device into the thunderbolt socket!" Gran- "im not goin anywhere near that, i may get a shock! look its got a warning sign!")"

All the better reason maybe some retarded mac users will confuse the high voltage signs with thunderbolt access ports and remove themselves from the gene pool ;)

3
2
FAIL

Fail

"i know that apple have named it "thunderbolt" but its just gonna cause confusion, since its actually called/codenamed "Light Peak" by intel."

Apple (note the capital A) didn't name it anything. It's called Thunderbolt (note the capital T). You should try reading some tech news occasionally, Light Peak was it's code name.

1
0
Big Brother

Bit of a knee-jerk, there

The attack vector is a real concern - you do not expect it to be even physically possible for any display device to hack into the host computer.

In many presentation situations, the user doesn't even see the cable between projector and laptop - the presenter turns up, plugs the cable labelled "projector" into his computer and the image comes up on the screen so all is well. The cable usually goes into the wall/podium and vanishes from sight.

So anything could be in that data path. Anything at all - a PC running 'evil l33t hacker' tools, or a machine running legit image processing to put the image on multiple screens/projectors in some useful way.

Most of these users also need handholding for the "now enable external monitor" step, hence Windows 7 automatically enabling it in mirror mode (most of the time) these days.

With VGA, DVI-D and HDMI the back-channel is very small and limited purpose, though n HDMI and DVI the manufacturers considered the possibility of an image-processing machine and tried to make it impossible (bastards), while VGA's one-way (other than the ID/capabilities pins) so an intercept can only process the image data freely given, in a user-intended manner.

Users automatically think that a display is one-way, so won't even consider it an attack vector.

Therefore we do need assurances from Intel, Apple et al that a given fundamentally bi-directional 'display-plus-other-stuff' interconnect does have fundamental security - not just afterthoughts.

And by 'security', I don't mean the crap in HDMI preventing legitimate usage of your own data. I mean the ability of a user or IT dept to choose!

13
0
Anonymous Coward

Single user

"Shutdown, reboot, hold down command-S, get instant root."

Only if it has no firmware password set, which is unlikely in the enterprise/schools/hospitals etc..

1
0
FAIL

Unlikely? Really?

IBM

Avaya

Siemens

Nortel

BT

Telmex

are just some of the companies where I've seen computers with no firmware password set and, in some cases, no IT policy on the matter. Besides which, in such large companies, how do IT enforce such a policy? If they install every single machine themselves AND If they set a firmware password on each machine AND they never let that password out to anyone AND they change it each time an IT employee who knows it leaves AND no one thinks about resetting NVRAM, then you might be right.

0
1
FAIL

And, er...

None of those companies listed are Mac shops... So your point?

0
0

Re: Single user

I have yet to see a person with a mac who has a firmware password set, and/or knows how to set one.

By contrast, most of people I know who use Windows/Linux (even the non-geeks) have BIOS passwords.

1
1
Thumb Down

Administrative overhead

The purpose of all those servers I assume is to run the business and the business of the business if to make money. Imagine the CIO walking into the CEOs office of a large fortune 500 company and explaining that a large % of the thousands of servers will be offline once in a while to reset firmware password each and every time an IT employee leaves the company.

0
0
Bronze badge
Grenade

Microsoft-only Shops & Security

"Worse -- that administrator account was also on their servers, so we could simply log into their domain controllers using that account and take control of the entire enterprise."

I have been to many companies over the course of my career, yet only two Microsoft-only shops.

The first found it very smart to choose the former company name as an admin password across the board (local admin, enterprise amin ... name it) and tell it to me - I never ask for passwords and look away ostensibly when client types them.

The second, different country, the lady saw that I was turning my back on her while she was typing the password ... yet sticky fingers made her make many typos (I am irresistible) ... not only did she say the password aloud, she also whispered that they had "sync'ed" all passwords across all systems to this word, which was the name of their lead product (it contained numbers and letters, but still).

If you are in a Microsoft-only shop, ask yourself some questions ... ;-)

PS: Both shops were in so called "latin" countries ... I would never see this in Germany, The Netherlands or UK ;-)

0
0
Anonymous Coward

Security carelessness predates Microsoft shops

The legacy is older than that -- Microsoft just made it fashionable. Many years ago, I worked in a Vaxen shop. A new DEC service rep've came calling whem both sysadmins were out. He complained bitterly that he could not log into the Field Service account (Name: "field", Password: "service").

0
0
FAIL

FUD nonsense

What's this FUD nonsense. Before the products are even available to the public El Reg manages to dig up an "expert" and without the slightest due diligence, trashes the product and technology.

They speculate but they present it as accomplished fact.

Bad journalism

1
2
WTF?

So I read the whole article based on a speculation ?

come back when you are sure.

5
1
Anonymous Coward

Paid by the times "Thunderbolt" mentioned?

5 thunderbolt articles in one day? What is this, blanket advertising?

1
1
FAIL

@Hans 1

You think that's bad?

The door code for Jazz FM's front and rear doors used to be 1022 FFS...

0
0
Anonymous Coward

This title is not a title and while being treated as such, should not be refered to as a title.

You think that's bad? Remember when I auditioned to be David Hasselhoff's car?

0
0

Enable EFI password, would-be luser

On a Mac, enabling the EFI password will disable DMA on Firewire, and provided that Apple don't screw up, this should carry over to Thunderbolt. Apple fixed this vector three years ago. So did Linux (options ohci1394 phys_dma=0). Last I heard Windows was still vulnerable if the Firewire driver is enabled, but others more current with Windows host security may know of mitigation techniques.

For most applications, disabling the computer's DMA has little effect on performance since DMA is still enabled on the rest of the device chain where it is needed.

Thunderbolt DMA is a valid concern and it would certainly be worthwhile for an actual security lab to investigate this when they get their hands on a current generation MacBook Pro, but the source article is worthless fear-mongering based on historical vulnerabilities for which mitigation strategies exist.

3
0
Silver badge
Jobs Halo

However,

You're missing the point. Sure it's just FUD, but it's also a chance to mock Apple & say "See how clever we are:- we can direct you to vulnerabilities on a product we haven't seen or used yet. Yes, we've done as much research as News International have - now if only we can hack into Apple employees' voicemail..."

Facts aren't important when there are egos to be boosted, and a chance for self-aggrandisement...

0
1

The only part we need to read here

"...Graham speculates it is vulnerable..."

"...speculates..."

3
0
Boffin

letters and/or digits.

A lot of the comments on this article seem exceptionally short sighted. When discussing a new technology is it not wise to discus security problems that arose with those that came before it and theorise about how they may carry over to the new tech if changes are not made?

0
0
Pint

You have bigger issues to deal with!

"broke in with administrator access. Once in, we grabbed the encrypted administrator password (the one the owner of the laptop didn't know). We cracked it using L0phtcrack."

I thought "L0phtcrack" was a hacking tool for Windows only, plus isn't that Donkey's old?

"That password was the same for all notebooks handed out by the company, so we now could log onto anybody's notebook. Worse -- that administrator account was also on their servers, so we could simply log into their domain controllers using that account and take control of the entire enterprise."

Sorry if your admins are putting the same admin password on laptops as well as desktops AND the domain accounts on your infrastructures servers, you have some very serious issues to deal with already, not least of which is going to be where the hell to hire a brand new IT department as you will be firing your old one in the next 15 seconds!

Root level passwords for production servers in corps should never be known by the IT staff, only the security officers. Kept in fire safes, they should be available 24 hours in emergencies but never ever used day to day. If everyone knows your root level passwords and logins, how the hell do you maintain audit trails without use of unique user accounts? I work in a tinpot little finance house, we maintain these security measures surely bigger corps must be able to?!

0
0

Ah. Someone who actually knows about security policy!

I agree - and I have worked as an IT security officer. If you are sane, you do NOT give admins unfettered root access. Ever. You make them apply for it on a per-server basis, you make them justify why they need it, what business case they have for access, and to specify how long they will need it - and you limit their access using whatever tools you have available (access tokens, temporary LDAP permissions, that sort of thing; as a last resort, you might actually hand them the real root password for that system if you are convinced they need it - and full responsibility for that system is transferred to the admin in question, until the work is complete and the password is changed).

In the event of an emergency, you keep copies in tamper-evident envelopes in at least one fire safe kept only in (a) controlled area(s) - which is/are inspected once at the beginning of each shift (three times a day.) So if root access is needed in an emergency, it can be obtained without the usual bureaucracy - but a good explanation will be required afterward.

0
0
Thumb Down

"Secure"

Sigh! The excitement was good while it lasted. I'm sure security gurus will find a way to make the technology more secure and therefore more complicated and less useful to consumers. You know, like Wi-Fi security.

Or maybe we could do what we have always done when it comes to security. Ignore the "theoretical threats" and focus on the more likely threats.

Have Windows? Then better have updated anti-virus.

Got a Mac or Linux? Don't sweat it so much.

Got home Wi-Fi in a "dense" community? Turn on WPA. MAC filtering and SSID hiding? Waste of time and effort.

Connecting external unknown devices to your computer at a tech conference? You are a fracking idiot!

Leaving your computer unattended so that the attack can hack into your FireWire/Thunderbolt connection in a just a few seconds? Yes, go ahead and be stupid.

So let's sit here and worry about all the possible scenarios we can come up with regarding every piece of tech on the planet. Because, you know, we all just want to get to that place called, "secure".

1
1
WTF?

@BristolBachelor (and original article):

"However, if I plug my laptop into a projector, how am I to know that it is virtually taking out the HDD?"

Seriously? When my laptop's hard drive is transferring a lot of data about, I assure you, it's pretty f*cking obvious!

The performance drop alone is usually warning enough. (Especially during the fancy animated transitions every PowerPoint or Keynote fan loves to use.) And my laptop's rather slow 5400 rpm. hard drive isn't going to be able to shovel its entire contents over Thunderbolt any faster than it can physically *read* it.

Also, the rather obvious solution to the posited hypothetical scenario is to not use your primary work computer for presentations. Just have a dedicated laptop set up in each theatre. Presenters insert a USB stick with their presentation files. Job done.

Sensitive data should never be let out of its vault unless absolutely necessary. If you're wandering around a conference centre with a laptop full of data you really don't want to have fall into the wrong hands, you deserve absolutely everything you get. (And I doubt you'd have a job that involved access to such data in the first place either, to be honest. If you do, your boss should be sacked as well as you.)

*

Frankly, all this smacks of someone who's been watching too many episodes of "Chuck". Anyone who wanted my data *that* badly would get much better results using the trusty, "Hey! Does *this* smell of chloroform to you?" trick. No matter how much encryption, obfuscation and whatnot you apply to your sensitive data, the weakest link will *always* be *you*. Point a gun at my head and I *may* just hand over the sensitive data; point it at someone I love, and I'm damned-near *guaranteed* to do so.

Yanking an entire HDD's contents off a computer via a trojan video projector is like cracking a nut by dropping nuclear bomb on it.

0
1
DR

the rather obvious solution...?

>the rather obvious solution to the posited hypothetical scenario is to not use your primary work computer for presentations. Just have a dedicated laptop set up in each theatre. Presenters insert a USB stick with their presentation files. Job done.

So you actually advocate taking random USB sticks and plugging them into random machines?

You don't think that also carries risks of virus distribution etc?

0
0

Page:

This topic is closed for new posts.