8

Has Apple fixed the Thunderbolt DMA attack when the computer is unlocked or is it unfixable since DMA is built into Thunderbolt?

I don't want to get hacked simply by plugging my Mac into a modified projector in a hotel or something.

Btw, what is the likelihood that a large company (e.g., Apple or Google) would get hacked in this manner? Could hotel projectors be replaced with modified ones without the person being caught?

genealogyxie
  • 431
  • 3
  • 13
  • 3
    The main advantage of Thunderbolt (which is essentially PCI-Express with hotplug) is DMA. You remove that and you go back to USB-grade speeds. – André Borie Apr 27 '16 at 06:04
  • 2
    @AndréBorie: DMA attacks don't have the cooperation of the host OS but it's completely different for legitimate operations because IO-MMU hardware have become very common in the PC/mobile world over the last half-decade and that allows the host OS to grant access to a specific memory range for the duration of a particular operation. – Chris Adams Aug 09 '16 at 14:49
  • As of [macOS High Sierra](https://en.wikipedia.org/wiki/MacOS_High_Sierra) (June 2017), Apple has apparently [disabled DMA over Thunderbolt, in favour of always-on VT-d](https://github.com/ufrisk/pcileech/wiki/Target:-macOS). If true, this shrinks Macs' DMA attack surface. Thunderstrike, however, gained DMA access just *before* the OS was booted, and read keys that were still in memory due to [data remanence](https://en.wikipedia.org/wiki/Data_remanence). I am unsure if High Sierra fixed that specific weakness: it would seem to need hardware/firmware changes. Maybe the T2 chip addresses this. – sampablokuper Aug 17 '18 at 12:16
  • @AndréBorie **That's not true.** You can easily support driver DMA with the interface controller without allowing the interface to directly issue DMA requests. That's how SATA works (compare UDMA with PIO!), for example. Same with even the highest speed NICs. It would be perfectly possible to allow extremely high speed and DMA at the controller level without exposing that ability to the protocol. – forest Aug 18 '18 at 02:53
  • @ChrisAdams DMA operations are _unattended_, but they do require cooperation of the host OS to initiate. Even without an IOMMU, the bus master enable bit must be set in the PCI configuration space in order for the device to even _attempt_ to issue a DMA request. – forest Aug 18 '18 at 02:56

1 Answers1

3

Sadly, it will probably never be completely safe to plug your computer into strange things. Even without DMA access, there are many other theoretical attacks. As known vulnerabilities are patched, their existence suggests others may be possible.

The facilities at Google are likely well protected from any hardware tampering (or any other burglary/theft/espionage). At a hotel, there is probably no protection at all.

Using a VGA/DVI/HDMI cable for a projector would be much safer than plugging a strange thing into the equivalent of a pci-e connector.

trognanders
  • 2,925
  • 1
  • 11
  • 12