Thunderbolt: Introducing a new way to hack Macs

Apple and Intel have introduced a new notebook connection technology called Thunderbolt that will hopefully replace all the other cables coming out of your laptop. However, it appears to share the same security flaw as some of these older technologies: attaching a hostile device can break into your computer. A hacker can walk up to your laptop while you are not looking, connect a device for a few seconds, disconnect it and walk away with your data (such as passwords). This works even when your laptop is "locked" with the password screen. We can't prove this until we get our hands on the hardware, but all signs point to hackers being able to exploit Thunderbolt.

Imagine that you are at a conference. You innocently attach your DisplayPort to a projector to show your presentation on the big screen. Unknown to you, while giving your presentation, the projector is downloading the entire contents of your hard disk.

The reason this works is the trusting nature of the protocol. Your laptop sends a command across the wire saying "please write the data in my memory location XYZ". What the device on the other end is then supposed to do is send the data with an address of XYZ. But it does't have to. It can instead send data to address ABC. In other words, it can upload malware into the computer's memory and run it.

This technique rarely works on USB. That's because USB is designed in a "master-slave" configuration. Your computer can do this trick against anything attached to your USB port. Indeed, that's how some "jailbreaking" of devices like iPhone's work. Your computer, the master, infects the phone with malware by writing to specific locations in the phone's memory.

However, in some versions of USB (such as USB On-the-Go), the devices will negotiate who is to be master, and who is to be slave. We found a couple notebooks 6 years ago that could be broken into with USB this way. I don't know if any newer computers can.

But most other technologies are "peer-to-peer" rather than "master-slave". In those cases, either side can hack into the other. We did this at a pentest recently. A company gave employees laptops that were secured using all the latest technology, such as encrypted boot disks and disabled USB ports. Users weren't given admin privileges. But the Firewire ports were open. We connected a device to the Firewire port on a laptop, and broke in with administrator access. Once in, we grabbed the encrypted administrator password (the one the owner of the laptop didn't know). We cracked it using L0phtcrack. That password was the same for all notebooks handed out by the company, so we now could log onto anybody's notebook. Worse -- that administrator account was also on their servers, so we could simply log into their domain controllers using that account and take control of the entire enterprise.

Another real-world story comes from the HBGary e-mails. Apparently, HBGary sold devices to the government so that they could perform the same sort of trick. We did it with a laptop running Linux, but you can easily do this from a thumbdrive.

The current Thunderbolt simply sends PCIe signals across the wire. That means, in theory, anything a PCIe card can do, a Thunderbolt device can do. A hostile device should be able to send any address it wants, to read and write any part of memory of the host machine.

Intel has a solution for this. It's called "Intel Virtualization Technology for Directed I/O" or "VT-d". Using VT-d, a driver can configure the chipset to allow a device on the PCIe bus (or the Thunderbolt connection) to only write to specific areas of memory instead of the entire memory. The processors in the MacBooks support this feature, but Mac OS X does not (at least, last time I checked it wasn't).

Note that MacBooks already have Firewire, ExpressCard, and SD/IO ports that are vulnerable to this feature. Therefore, having yet another port with the same vulnerability isn't a huge increase in the risk.



Update: iFixit's teardown shows that the MacBook uses the BD82HM65 southbridge, which does not support Vt-d.

What's the deal with deleting data from flash drives?

Before flying back to the United States, you wipe your SSD flash. You run “dd if=/dev/zero of=foo; rm foo” twice in order to fill the file system. You then run your level hacker tools to confirm that the drive does indeed only contain zeroes (such as "photrec", which restores deleted photos).

Yet, when passing through customs, the border guards seize your laptop and find the proof of your crimes committed as a member of Anonymous and Wikileaks.

What went wrong?

Why security is so frustrating

My relatives are really annoying. They won’t do the one thing that secures their WiFi (use a complex password and write it down), but they insist on doing things that provide no security (hidden networks and MAC filtering).

This is a good analogy for corporate security: people refuse to do the one thing that will make them secure, but insist on doing lots of crap that does little to to improve their security.

I understand why people don’t want to choose complex passwords, they are harder to remember than simple passwords. People gravitate toward easier security. But why, then, do they insist upon hiding the network name and MAC filtering? These things do nothing to stop hackers, but they they annoy the heck out of guests (like me) who might want to use the WiFi.

Hiding the network name is the worst. It doesn’t hide the fact you have an access-point. Windows 7 shows it as “Other Network”. More importantly, it doesn’t hide the name from hackers. The name pops up immediately in tools like Kismet. This feature only removes the name form “beacon” broadcasts, but still includes the name in “probe responses”, and hacking tools can read the “probe responses”.

Anybody that connects to a hidden network must “probe” for it. That puts their laptop/iPhone at risk when they leave your network, allowing hackers to trap their devices in fake access-points. Thus, when you use hidden networks, you increase the risk for your guests while doing essentially nothing to increase your own security.

MAC filtering annoys hackers, but only slightly. It means they have to eavesdrop on your network for a bit before cloning a permitted device’s MAC address. But MAC filtering is even more annoying for guests. It can be a complicated and time wasting affair, as they misread a character, or as I did, read off the Bluetooth MAC instead of WiFi MAC address.

I hear various excuses. For example, they claim they aren’t trying to stop the world’s best hackers. But that’s wrong, for two reasons.

The first is that it still doesn’t explain why you are replacing a minor annoyance (complex password) with a major annoyances (hidden networks and MAC filtering).

The second reason is that yes, you need to protect yourself against the best hackers. The world’s best hackers create simple tools, and publish them on the Internet. The teenage kid five doors down uses those tools (with a directional antenna) to break into your network.

Two of my relatives live far enough from other houses that they can see no other WiFi access-points. Therefore, they conclude, their neighbors cannot see their WiFi. This is the “Bugblatter Beast of Traal” theory of security: if you can’t see hackers, then hackers must not be able to see you. But directional antennas that increase the range by 100 times are rather cheap. Sure, you may have trouble getting a good signal in your yard, but a hacker a mile away can still break into your network.

---

George Ou from who writes at http://www.digitalsociety.org/ makes the following observations, which I thought were interesting enough to post here:

But Rob, we don't need a terribly complex WPA-PSK for a good degree of non-guessability. Even an 8-character alphanumeric PSK is extremely hard to crack even when you're leasing cloud capacity. Bump it up to 10-char or 12-char and even the cloud attack will become impractical.

1. Your neighbor's kid can crack an 8 character alpha password in a few days using his graphics card by guess all combination of letters ("brute-force attack").

2. Even a 12-char alpha/numeric/punctuation password can be guessed by going through the dictionary and doing minor alterations of the the words ("dictionary mutation attack").

Problem with the other two myths is that security "experts" (even the CISSP curriculum) teaches MAC filtering and SSID broadcast suppression.

I hadn't thought of that. This shows yet against that the CISSP is not an adequate certification for security professionals.

The MAC filtering isn't even a minor inconvenience for hacker since it probably takes a few milliseconds to see the MAC address, and it provides zero encryption for stopping wall-of-sheep attacks or sidejacking.

SSID broadcast suppression (mistakenly known as hiding) simply forces the clients to broadcast rather than the base-station. That's like trying to hide a huge fixed military installation but asking all the foot solders to go around beaconing their location even in enemy territory. It is extremely stupid yet there are so many "experts" that still teach this

Anybody can be an expert in cybersecurity: they just have to say "you aren't taking security seriously enough".

What happened to "World Domination 201"?

Reaction from one of the authors of that paper here.

In 2006, open-source pundit Eric S. Raymond (ESR) published a document "World Domination 201", where he discussed the upcoming transition to 64-bits. He claimed that Microsoft would have a troubled transition with 64-bit Windows, which would give Linux the opportunity to step in and take over the desktop.

Yet, the reverse has happened. Windows long ago seamlessly transitioned to 64-bits, but Linux still hasn't completed the jump.

Here is today's purchase page for Dell's cheapest desktop. It allows you to choose your OS -- but only between two different versions of 64-bit Windows. I looked further into it: Dell will not sell "home" users (of desktops/notebooks) 32-bit Windows. You must order a "business" system for that.

Linux is the reverse. The most popular distros recommend 32-bit. Here is a picture taken today (Feb 8, 2011) of the Ubuntu download page, where they recommend that people download their 32-bit version:

Suse also defaults to 32-bits:

Fedora defaults to 32-bits:

As for Mac OS X, all systems are "64-bit" and "32-bit". Their 32-bit versions can run 64-bit applications, and their 64-bit version can run 32-bit applications. You can tell the kernel to boot in either 32-bit or 64-bit mode; low-end systems (notebooks) default to 32-bit, high-end systems (Mac Pro) default to 64-bit mode.

So what went wrong?

ESR's paper predicted what would go wrong:

"Linux is still an operating system developed by geeks and hackers for geeks and hackers. The disconnect between us and the non-technical end user is still vast, and too many of us like it that way and will actually defend our isolation as a virtue."

There is nothing technically wrong with 64-bit Linux on the desktop. Linux has been "64-bit ready" since 1995, and was the first operating system to run on x64 in 2001 -- two years before x64 hardware shipped. You can even get most 32-bit applications to run by setting up a special environment.

But Adobe Flash doesn't work. WINE is buggy. While 32-bit apps should work in theory, many don't in practice. Distros like Ubuntu don't even come with a 32-bit backwards compatibility installed -- you must install is separately. An enormous amount of open-source has not been upgraded -- while they compile on 64-bit, they don't run properly.

Techies can get around all these problems, but average users cannot. Techies can run in 64-bit, average users will find this difficult.

Not to mention the failings of even 32-bit desktop. Windows and Mac users now get to enjoy GPU accelerated web browsers (including Flash). Heck, Linux still stuffers from simple issues like the mouse pointer getting stuck when the system is overloaded. It's not something techies care about, but it's actually something average users (albeit unconsciously) care a lot about.

How can Linux dominate the desktop?

Stop trying.

Linux is already the dominant operating system, from super computers to servers to home devices to smartphones. My home wifi gateway runs Linux. So does my DVR from the cable company. So does my Sony TV. My mobile is an iPhone, which runs the open-source BSD operating-system, but more Android mobiles shipped this year.

Stop fighting the battles of the past. Who cares if Microsoft owns the desktop? The future is in other devices, where Linux will surely win.

If anything, root for Apple. Linux techies will never have the compulsive desire to simplify computers that Apple has. If anything will displace Windows on the desktop, it will be Apple, not Linux.

Appendix

Performance differences

One of the arguments for 32-bit over 64-bit is that it performs better. This is Apple's reasoning for shipping a 32-bit kernel that runs 64-bit apps.

The performance differences are minor. 64-bit code bloats a little, because pointers are now twice as big. This in turn puts more pressure on the cache, slowing things down. On the other hand, x64 doubles the number of registers, which in turn speeds things up.

I find in my own code that 64-bit is slightly faster overall. Either way, it's not a convincing argument why Linux desktops are stuck at 32-bit.

64-bit isn't needed yet

Nonsense. I just purchased 24-gigs of RAM for my desktop for $300.

Certainly, not all applications need 32-bit. For example, Visual Studio 2010 is a 32-bit application (for producing 64-bit code). That's because there is nothing it does that can esceed 4gigs of RAM.

On the other hand, Microsoft Office is now 64-bit. That's because high-end users do things like creating monster Excel spreadsheets.

I see this most often when I load large packet-captures using Wireshark. The 32-bit version crashes because the files are too big. The 64-bit version happily loads these monster files.

Full disclosure

So what do I run? I'm writing this on a MacBook Air running Windows 7 64-bit (and BackTrack 4 under VMware).

Apple's hardware is fantastic, but in the end, I'm a Windows fan.

The overwhelming reason is "keyboard shortcuts". Windows does this better than Mac or Linux. It allows me to wiz through applications much faster than with a mouse. Most people don't care about this, but I care a lot.

The second reason is Visual Studio, Microsoft's C compiler (and other languages). It's source-level debugging is far beyond what you can get with GDB and GDB-derived GUIs like X Code. I've used GDB from the 1980s, and I still passionately hate it.

Which is weird. I develop my code for Linux. But I develop it under Windows and Visual Studio, and debug portability issues under Mac OS X and X Code. I hate Linux IDEs that much.

Conclusion

To restate my point: Dell refuses to ship a 32-bit version of Windows for home users, only 64-bit. In contrast, the major Linux desktop distros recommend 32-bit versions of their desktop.

I'm already hating the IPv6

Looking up RFCs is really painful because the first IP address that comes back is an IPv6 address:

I takes several minutes for the browser to timeout with that IPv6 address and backoff to the IPv4 address.

But I'm otherwise prepared for IPv6 as soon as Comcast enables it. in the picture below, notice that my Internet router is IPv6 enabled, and that I'm indeed talking to it from my desktop via its IPv6 address.

So, to fix this, I simply need to turn off the IPv6 feature of my home gateway.