5

If using a foreign iMac as an external display (through the Thunderbolt to Thunderbolt, or Mini DisplayPort to Mini DisplayPort cable, and Command+F2 on the iMac, as per iMac Target Display Mode FAQ), is there a chance that my MacBook or ThinkPad could get infected with some sort viruses through the said port, have the keystrokes recorded, or get its screen captured by the aforementioned iMac?

I'm specifically interested in the aspect of making sure that my laptop is not subject to these attacks, but I guess Thunderbolt is a double-way street.

I see that according to Wikipedia, it appears that Thunderbolt may be subject to DMA attacks, but only in certain circumstances. If my ThinkPad X230 has a "++DP" logo next to its port, does it mean it's not vulnerable? How do you determine if you may or may not be vulnerable? Is there a way to minimise any possible privilege escalation?

cnst
  • 1,884
  • 2
  • 19
  • 30

1 Answers1

1

You are correct in that there are risks with the Thunderbolt to Thunderbolt connectivity when connecting two devices.

The DMA type of attack you mention is a distinct and very real attack vector. https://en.wikipedia.org/wiki/DMA_attack

However Tramell Hudson's talk on Thunderstrike is probably the best description of the security issue you are asking about. https://trmm.net/Thunderstrike

At this time, unlike BadUSB ( https://srlabs.de/badusb/ ) we don't currently know of a specific tool taking advantage of this issue but given the complete lack of security controls and the similarities to known vulnerabilities in FireWire and USB we do expect exploits to be developed which will take advantage of the Thunderboldt protocol.

As for the ++DP on the Thinkpad Laptop I believe that actually means it supports Dual displays but regardless of the configuration since the Laptop is communicating using the Thunderboldt protocol it will be subject to attacks as they arise.

Additional Relevant link: http://www.extremetech.com/mobile/197005-new-apple-malware-is-undetectable-unstoppable-and-can-infect-any-thunderbolt-equipped-device

Hope this helps.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • I think your answer makes an assumption that Mini DisplayPort and Thunderbolt are the same thing, which, if I recall my further investigation after asking the original question, may not be correct. E.g., just because the connector is the same, doesn't mean that PCI Express is available for these DMA attacks to surface. But how does one distinguish between the two? What about the combinations? Perhaps any adapters that could block the extra signalling? – cnst Nov 16 '15 at 23:03
  • Updated original answer to address Mini-DisplayPort – Trey Blalock Nov 17 '15 at 00:15
  • Your update is now pure speculation that DRM compatibility checks somehow have similar attack surface to DMA, which are two entirely separate things. – cnst Nov 17 '15 at 00:42
  • No I'm just pointing out that DRM implies two-way communication rather than one-way communication. That provides a vector in and if you block it you'd break the DRM communication path. – Trey Blalock Nov 17 '15 at 05:10
  • Also relevant: http://www.extremetech.com/mobile/197005-new-apple-malware-is-undetectable-unstoppable-and-can-infect-any-thunderbolt-equipped-device – Trey Blalock Nov 17 '15 at 05:19