Security Bits Logo

Security Bits – 8 March 2019


Security Medium 1 — Thunderclap

Security researchers have shone a light on one of the dangers the move to USB-C can bring along with it — Thunderbolt’s reliance on Direct Memory Access, or DMA to deliver its impressive performance.

A little context first — USB-C is a physical connector specification, it doesn’t tell you anything about what protocols a USB-C cable or port can carry. USB-C cables can carry power, USB 3 data, and, in some cases, Thunderbolt data (and more). One of the things that makes the more expensive MacBook Pros better than the cheaper MacBooks is that while the MacBook Pro’s USB-C ports carry Thunderbolt and DisplayPort, the MacBook’s don’t. You’ll find similar discrepancies between Windows devices that have USB-C ports.

In order to facilitate its impressive speed, Thunderbolt relies on having direct access to its host computer’s RAM via a mechanism known as DMA (literally Direct Memory Access). It’s philosophical predecessor FireWire also relied on DMA. One of the well-known problems with DMA is that it allows devices to read and write anywhere in RAM without the OS getting to moderate that access like it does with normal devices with regular device drivers. We’ve known this is a serious security concern for decades — attacks for extracting things like full disk encryption keys through FireWire ports have been around for more than a decade.

Since we’ve known about this DMA security weakness for years, surely someone took the time to figure out a fix before rolling it into a modern connector like Thunderbolt? Well actually, yes! Modern computers can contain a chip known as an Input-Output Memory Management Unit, or an IOMMU. Its job is to make sure that a peripheral can only read and write to specific parts of RAM that have been allocated to it — no more snooping around in the entirety of RAM!

So what’s the problem? Firstly, these chips cost money, so some vendors choose to save money by omitting them, and secondly, for the IOMMU to do its thing it needs OS-level support. Not all OSes have that support, and some that do don’t enable it by default.

The good news for Mac users is that all modern Macs with Thunderbolt have an IOMMU, and modern versions of MacOS enable its use by default.

Things are not so good on the Windows side where IOMMU support is an enterprise-only feature, and only on Windows 10.

This makes the Mac safer than Windows devices, but not perfectly safe. The security researchers were able to exploit Macs via a Thunderbolt ethernet card, but Apple have already patched the bug that made that possible. The researchers believe there are probably more Thunderbolt bugs yet to be found in MacOS.

Should you panic? Nope, especially not if you use a Mac, where you are better protected. At least for now, the solution is quite simple — don’t plug anything you don’t trust into your USB-C port! This has been standard advice for regular USB ports for years, so I think most people would have assumed it was true of USB-C ports too anyway.


Security Medium 2 — BuggyCow

Google’s Project Zero have published details of a kernel bug in MacOS that they’ve named BuggyCow. For now, there is no patch available, so it is a Zero-day bug.

The bug allows local privilege escalation by exploiting a bug in Apple’s Copy-on-Write implementation in MacOS’s memory management. Copy-on-Write is a common optimisation technique, and is often abbreviated to CoW, hence the bug’s catch name.

The good news is that the flaw is not remotely exploitable — an attacker needs the ability to execute arbitrary code on the device to trigger the bug. So, for you to fall victim to this, there must already be malware running on your computer. This is why you shouldn’t set your hair on fire over this. If you can be hit by this bug you have much bigger problems than this bug!

Apple should still fix this quickly though — bugs like this can be used to amplify the effect of other bugs. Imagine you find a bug that gives you remote arbitrary code execution, but only as an un-privileged user, if you combine that bug with this one you get a remote take-over of the device.


Security Medium 3 — A Big Two Weeks for Facebook

These past two weeks have been an interesting mix of fresh new Facebook scandals, followed by an interesting post for founder and CEO Mark Zuckerberg laying out his vision for one aspect of Facebook’s future.

On the one hand we find that Facebook is allowing developers to upload extremely personal data to Facebook’s servers, and that Facebook continues to abuse phone numbers submitted for the purpose of 2FA.

On the other hand, Mark Zuckerberg published a detailed post laying out FaceBook’s vision for privacy in private messaging on its platform going forward.

With regards to the apps sending Facebook deeply personal data, we’re talking about stuff as personal as heart rate measurements, menstruation, and the prices of homes being looked at in real-estate apps. Facebook incentivise app makers to use a Facebook API to send data on all the apps users to Facebook, including users who don’t have Facebook account. Facebook’s defense here is that their TOS tells developers not to upload personal information without explicit consent, and that they were not aware of any abuses. Since data gathering and processing is literally Facebook’s core business and competency, I find their protestations stretch credulity.

As for using 2FA phone numbers to track users — that’s just despicable IMO. It makes the entire planet less secure by making people suspicious of 2FA.

As for Zuckerberg’s post, remember that its scope is very finely focused on Facebook’s private messaging products, this is not a root-and-branch reform of all their services! I’ve written a blog post with more detailed thought (linked below), but the TL;DR version is that this doesn’t change Facebook’s core business model, so there is not reason to assume stories like the two above won’t continue to be the norm going forward.


Notable Security Updates

Notable News

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top