Thursday, February 24, 2011
Thunderbolt: Introducing a new way to hack Macs
Imagine that you are at a conference. You innocently attach your DisplayPort to a projector to show your presentation on the big screen. Unknown to you, while giving your presentation, the projector is downloading the entire contents of your hard disk.
The reason this works is the trusting nature of the protocol. Your laptop sends a command across the wire saying "please write the data in my memory location XYZ". What the device on the other end is then supposed to do is send the data with an address of XYZ. But it does't have to. It can instead send data to address ABC. In other words, it can upload malware into the computer's memory and run it.
This technique rarely works on USB. That's because USB is designed in a "master-slave" configuration. Your computer can do this trick against anything attached to your USB port. Indeed, that's how some "jailbreaking" of devices like iPhone's work. Your computer, the master, infects the phone with malware by writing to specific locations in the phone's memory.
However, in some versions of USB (such as USB On-the-Go), the devices will negotiate who is to be master, and who is to be slave. We found a couple notebooks 6 years ago that could be broken into with USB this way. I don't know if any newer computers can.
But most other technologies are "peer-to-peer" rather than "master-slave". In those cases, either side can hack into the other. We did this at a pentest recently. A company gave employees laptops that were secured using all the latest technology, such as encrypted boot disks and disabled USB ports. Users weren't given admin privileges. But the Firewire ports were open. We connected a device to the Firewire port on a laptop, and broke in with administrator access. Once in, we grabbed the encrypted administrator password (the one the owner of the laptop didn't know). We cracked it using L0phtcrack. That password was the same for all notebooks handed out by the company, so we now could log onto anybody's notebook. Worse -- that administrator account was also on their servers, so we could simply log into their domain controllers using that account and take control of the entire enterprise.
Another real-world story comes from the HBGary e-mails. Apparently, HBGary sold devices to the government so that they could perform the same sort of trick. We did it with a laptop running Linux, but you can easily do this from a thumbdrive.
The current Thunderbolt simply sends PCIe signals across the wire. That means, in theory, anything a PCIe card can do, a Thunderbolt device can do. A hostile device should be able to send any address it wants, to read and write any part of memory of the host machine.
Intel has a solution for this. It's called "Intel Virtualization Technology for Directed I/O" or "VT-d". Using VT-d, a driver can configure the chipset to allow a device on the PCIe bus (or the Thunderbolt connection) to only write to specific areas of memory instead of the entire memory. The processors in the MacBooks support this feature, but Mac OS X does not (at least, last time I checked it wasn't).
Note that MacBooks already have Firewire, ExpressCard, and SD/IO ports that are vulnerable to this feature. Therefore, having yet another port with the same vulnerability isn't a huge increase in the risk.
Update: iFixit's teardown shows that the MacBook uses the BD82HM65 southbridge, which does not support Vt-d.