

Security concerns over new Thunderbolt I/O technology - gst
http://www.h-online.com/security/news/item/Security-concerns-over-new-Thunderbolt-I-O-technology-1198476.html

======
zdw
FYI, if you're concerned about this issue with any Apple product and Firewire
DMA, turning on the firmware password can block this kind of attack:

[http://www.mactech.com/articles/mactech/Vol.21/21.02/Securit...](http://www.mactech.com/articles/mactech/Vol.21/21.02/Security/index.html)

(halfway down, "Disabling Fiewire Direct Memory Access", EFI passwords on x86
do the same as OF passwords on PPC machines)

------
RodgerTheGreat
I can see some concerns over this, but at the same time hasn't the
conventional wisdom _always_ been that you can do anything given physical
access to a machine?

~~~
BCM43
The problem with this is that you can be tricked into giving access to it. I
would not count plunging a display adapter into my computer giving someone
"physical access" but in this case it would do.

~~~
__david__
Very true. It seems like a simple thing to loudly inform the user that a new
PCI device was connected. But that would probably only help savvy people--
everyone else would just click ok without reading the dialog.

A real solution would be some sort of DMA whitelist provided by the OS driver.

------
alexobenauer
I like their scenario of a projector that could dopy the entire contents of a
hardrive in the background. But that would require a projector that would do
such a thing.

I think what would be an even better scenario is that, since Thunderbolt
devices are meant to be daisy-chained and have 2 ports for that purpose, a
'standard' thunderbolt projector could have a homebrew device chained to it,
that the presenter knows nothing of. (Hidden, explained as something else,
etc). Then this standard-made projector can be made to be a malicious one
simply by daisychaining another device on to it that could copy the contents
of the presenter's hard drive.

------
wglb
This reminds me of a report we got while building a unix clone. The report
stated that a user could craft a setuid root program on a floppy and if any
random user executed that file if the floppy was mounted, then the machine was
owned.

Wouldn't true security professionals understand that once you grant physical
access to the machine, that all is lost?

------
zitterbewegung
If I remember correctly you are able to exploit DMA access through firewire by
creating an iPod that would be able to dump the contents of memory to the hard
drive. If you had DMA access using Thunderbolt you could dump the contents of
memory in a very short time!

~~~
__david__
And even better, you can get access to the other PCIe devices--in particular
the SATA devices. Though it might be tough to talk to devices that the main
processor is actively using. Even if you somehow disable interrupts on the
device, the potential for conflicts (leading to data corruption) seems
amazingly high.

~~~
wmf
Rather than talking to the disk controller over Thunderbolt, I would use TB to
insert a rootkit in the kernel that would use the standard APIs to read the
disk. Similar to this: [http://esec-
lab.sogeti.com/dotclear/index.php?post/2010/11/2...](http://esec-
lab.sogeti.com/dotclear/index.php?post/2010/11/21/Presentation-at-
Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmware)

------
spitfire
It's funny the first thing I thought about when I heard about thunderbolt was
"awesome! Now I can build a ghetto NUMA system". But I guess others are
concerned about security.

