Thunderbolt Security Speculations

Published: 2011-02-25
Last Updated: 2011-02-25 06:19:35 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Today, Apple release a new set of Macbook Pros, sporting the first implementation of "Thunderbolt", a new interconnect technology based on what Intel so far called "Lightpeek". It promisses 10 GBit/sec duplex connectivity to everything from storage to video devices. The technology is similar to Firewire (aka i.Link, IEEE 1394) in some ways. Like for Firewire, multiple devices may be daisy chained. However, if a display port display is used as part of the chain, the display has to be the last device in the chain.

One speculation put forward in an article in the register [1] is that devices connected via Thunderbolt are not authenticated and like for firewire, have full bus access. This speculation is supported by the so far available material form Intel and Apple. Like with Firewire, this bus would provide direct access to RAM and possibly disks. As a result, a malicious device may be able to read RAM and disks without authentication.

These attacks have been shown to work for Firewire, and have been used for example in memory forensics to extract memory content from live systems. However, with the larger variety of devices expected for thunderbolt, it may be more of a threat. In particular, the scenario put forward in the article: Connecting a laptop to a projector at a conference via display port. There is no telling if inside the projector a second device sits in line waiting to extract memory from the attached laptop.

As mentioned in the title: At this point, I don't think anybody has had a chance to experiment with this yet, and I am not aware of any display link projectors. Actually almost all of the time at conferences I find good old VGA (not DVI or HDMI). But this may of course change in the future.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

3 comment(s)


Diary Archives