No fewer than seven serious Thunderbolt security flaws have been discovered, affecting machines with both standalone Thunderbolt ports and the Thunderbolt-compatible USB-C ports used on modern Macs.

The flaws allow an attacker to access data even when the machine is locked, and even when the drive is encrypted …

The vulnerabilities are present in all machines with Thunderbolt/Thunderbolt-compatible USB-C ports shipped between 2011 and 2020.

Security researcher Björn Ruytenberg found seven vulnerabilities in Intel’s Thunderbolt chips, and nine ways to exploit them.

1. Inadequate firmware verification schemes

2. Weak device authentication scheme

3. Use of unauthenticated device metadata

4. Downgrade attack using backwards compatibility

5. Use of unauthenticated controller configurations

6. SPI flash interface deficiencies

7. No Thunderbolt security on Boot Camp

There is no way to detect that a machine has been compromised.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

Macs are fully vulnerable to all of the Thunderbolt security flaws when running Bootcamp, and ‘partly affected’ when running macOS.

MacOS employs (i) an Apple-curated whitelist in place of Security Levels, and (ii) IOMMU virtualization when hardware and driver support is available. Vulnerabilities 2–3 enable bypassing the first protection measure, and fully compromising authenticity of Thunderbolt device metadata in MacOS “System Information”. However, the second protection measure remains functioning and hence prevents any further impact on victim system security via DMA. The system becomes vulnerable to attacks similar to BadUSB. Therefore, MacOS is partially affected.

Further details of the Mac vulnerabilities can be found below.

Ruytenberg informed both Intel and Apple of his discoveries, but says that as the Thunderbolt security flaws are present in the controller chips, there is no way to fix the vulnerabilities via a software update.

Below is a description of how the vulnerabilities can be exploited on a Mac running macOS. This is essentially performed by fooling the Mac into thinking the attack kit is an Apple-approved Thunderbolt accessory.



3.4 Exploitation scenarios for vulnerabilities 2-3, 7 on Apple Mac systems

3.4.1 Cloning an Apple-whitelisted device identity to an attacker device (MacOS) 4

Threat model

We assume an “evil maid” threat model, in which the attacker exclusively has physical access to a victim system. The system is in a locked (S0) or sleep (S3) state, while running MacOS.

Preparation

1. Acquire a MacOS-certified Thunderbolt device.

2. Disassemble the MacOS-certified device enclosure. Obtain the firmware image from the Thunderbolt controller’s SPI flash of the MacOS-certified device.

3. Disassemble the attacker device enclosure. Obtain the firmware image from the Thunderbolt controller’s SPI flash of the attacker device.

4. Connect the MacOS-certified device to the attacker system. On the attacker system, using e.g. tbtadm on Linux, obtain the UUID of the MacOS-certified device.

5. Locate the DROM section by searching for the string DROM in the attacker device firmware image. Figure 6 depicts the DROM data structure. Using the figure as a reference, locate the appropriate offsets and replicate the MacOS-certified device UUID.

6. Compute uid crc8 and replicate the value at the appropriate offset.

7. Write the image to the attacker device SPI flash.

Procedure

1. Connect the attacker device to the victim system.

Verification

1. Observe that the victim system identifies the attacker device as being a MacOS-certified device. Figure 2 demonstrates an example scenario, showing a forged Thunderbolt device identity in the MacOS “System Information” application.



Intel commented:

In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.

DOWNLOAD

System Requirements for 5.1.5621 (non LynxPoint):
MacBook Air (11-inch & 13-inch, Mid 2011)
MacBook Air (11-inch & 13-inch, Mid 2012)
MacBook Pro (15-inch & 17-inch, Mid 2010)
MacBook Pro (13-inch, & 15-inch, Early 2011)
MacBook Pro (17-inch, Early 2011)
MacBook Pro (13-inch,15-inch & 17-inch  Late 2011)
MacBook Pro (13-inch & 15-inch, Mid 2012)
MacBook Pro (Retina, Mid 2012)
MacBook Pro (Retina, 13-inch, Late 2012)
MacBook Pro (Retina, Early 2013)
MacBook Pro (Retina, 13-inch, Early 2013)
Mac Pro (Early 2009)
Mac Pro (Mid 2010)
Mac Pro (Mid 2012)
Mac Pro (Late 2013)
Mac mini (Mid 2011)
Mac mini (Late 2012)
iMac (27-inch, Quad Core, Late 2009)
iMac (21.5-inch & 27-inch, Mid 2010)
iMac (21.5-inch & 27-inch, Mid 2011)
iMac (21.5-inch, Late 2011)
iMac (21.5-inch & 27-inch, Late 2012)

This download contains the Windows Support Software (Windows Drivers) you need to support 64 bit versions of Windows 7 and Windows 8 on your Mac.

For more information on which operating systems are supported on different Mac systems, click here: http://support.apple.com/kb/HT5634

• The download file is a .zip file. Double click it to uncompress it,  if it is not automatically uncompressed.
• Double-click the Boot Camp5 folder.
• Copy the entire contents of the .zip file to the root level of a USB flash drive or hard drive that is formatted with the FAT file system
• When running Windows, locate the Boot Camp folder on the USB media you created in Step 3 and double click to open it.
• Double click on setup to start installing the Boot Camp Support Software.
• When prompted to allow changes, click on Yes and follow the onscreen instructions.
• Installation can take a few minutes. Don't interrupt the installation process. When installation is complete, click Finish in the dialog that appears.
• A system restart dialog box appears.  Click Yes to complete the installation. 

For more information on Boot Camp, click here: www.apple.com/support/bootcamp
Note: If you are using one of the Macs listed below, you should download Boot Camp Support Software 5.1.5640 instead.
MacBook Air (11-inch, Mid 2013)
MacBook Air (13-inch, Mid 2013)
MacBook Pro (Retina, 13-inch, Late 2013)
MacBook Pro (Retina, 15-inch, Late 2013)
iMac (21.5-inch, Late 2013)
iMac (27-inch, Late 2013)
iMac (21.5-inch, Late 2013)

DOWNLOAD

Version: 1.7
Post Date: Dec 10, 2012
Download ID: DL1616
License: Update
File Size: 4.53 MB
System Requirements
Mac mini (Late 2012)

About Mac mini EFI Firmware Update 1.7

This update addresses HDMI video flicker issues on Mac mini (Late 2012) computers and is recommended for all users.

The Mac mini EFI Firmware Update will update the EFI firmware on your computer.

Your computer's power cord must be connected and plugged into a working power source. When your Mac mini restarts, a gray screen will appear with a status bar to indicate the progress of the update. It will take several minutes for the update to complete. Do not disturb or shut off the power on your Mac mini during this update.

Mac mini EFI will be updated to 0106.03

DOWNLOAD

Version: 10.8.2
Post Date: Oct 24, 2012
Download ID: DL1603
License: Update
File Size: 654.49 MB
System Requirements:
OS X Mountain Lion v10.8.1

About OS X Mountain Lion 10.8.2 Update for 13" Macbook Pro with Retina Display, 21.5" iMac (Late 2012), Mac mini (Late 2012)

This update is recommended for all 13” MacBook Pro with Retina Display, 21.5" iMac (Late 2012) and Mac mini (Late 2012) systems.

It includes all features and updates from OS X Mountain Lion v10.8.2 plus system-specific enhancements and fixes for Late 2012 systems.
 
New features include:
▪ Facebook
▪ Single sign on for Facebook
▪ Facebook as an option when sharing links and photos
▪ Facebook friends' contact information and profile pictures in Contacts
▪ Facebook notifications in Notification Center
 
Game Center
▪ Share scores to Facebook, Twitter, Mail, or Messages
▪ Facebook friends are included in Game Center friend recommendations
▪ Facebook Like button for games
▪ Challenge friends to beat your score or achievement
Other new features
▪ Power Nap support for MacBook Air (Late 2010)
▪ iMessages sent to your phone number now appear in Messages on your Mac
▪ From Safari and Mail on your Mac you can add passes to Passbook on your iPhone or iPod touch running iOS 6
▪ New shared Reminders lists
▪ FaceTime now receives calls sent to your phone number
▪ New sort options allow you to sort notes by title, the date you edited them, and when you created them
▪ Dictation now supports Mandarin, Cantonese, Spanish, Korean, Canadian English, Canadian French, and Italian
▪ The Dictionary application now includes a French definition dictionary
▪ Sina Weibo profile photos can now be added to Contacts
 
This update also includes general operating system fixes that improve the stability, compatibility and security of your Mac, including the following fixes:
▪ An option to discard the changes in the original document when choosing Save As
▪ Unsent drafts are opened automatically when launching Mail
▪ Receive Twitter notifications for mentions and replies from anyone
▪ URLs are shortened when sending tweets from Notification Center
▪ Notifications are disabled when AirPlay Mirroring is being used
▪ SSL support for Google searches from the Smart Search Field in Safari
▪ New preference to have Safari launch with previously open webpages
▪ Graphics performance and reliability enhancements
▪ USB 3 reliability enhancements

DOWNLOAD

Version: 10.7
Post Date: September 12, 2012
Download ID: DL1576
File Size: OS X (157.33 MB ) Windows (74.91 MB) Windows64 (76.79 MB)
System Requirements:

Software:

• Mac OS X version 10.6.8 or later
• Safari 4.0.3 or later
• 350MB of available disk space
• iTunes in the Cloud and iTunes Match availability may vary by country.
Hardware:
• Mac computer with an Intel Core processor and 512MB of RAM
• To play 720p HD video, an iTunes LP, or iTunes Extras, a 2.0GHz Intel Core 2 Duo or faster processor and 1GB of RAM is required. 
• To play 1080p HD video, a 2.4GHz Intel Core 2 Duo or faster processor and 2GB of RAM is required. 
• Screen resolution of 1024x768 or greater; 1280x800 or greater is required to play an iTunes LP or iTunes Extras
• Broadband Internet connection to use the iTunes Store
• Apple combo drive or SuperDrive to create audio, MP3, or back-up CDs; some non-Apple CD-RW recorders may also work
• Apple SuperDrive to back up your library to DVDs; some non-Apple DVD-RW drives may also work

iTunes 10.7 adds support for iOS 6 running on compatible iPhone, iPad, and iPod touch models.

This update also adds support for the latest iPod nano and iPod shuffle models.

For information on the security content of this update, please visit: http://support.apple.com/kb/HT1222