The risks of DMA attacks over PCI-Express are known for quite some time. Every PCIe device can potentially access physical memory inside a machine and exfiltrate private data like encryption keys or passwords. Modifications are also possible. As Thunderbolt has the capability to tunnel PCIe traffic, this is also possible by external Thunderbolt devices. One of the countermeasures implemented in the Thunderbolt controllers against unknown devices behaving evil is to block them entirely by employing a user configurable whitelist.

The presented vulnerabilities affect these security measures and allow to authenticate malicious devices which then can be used to perform subsequent DMA attacks. The Thunderbolt controller responsible for authenticating the devices has its own microcontroller and runs firmware from a small SPI flash chip usually sitting next to it on the circuit board. The whitelist is stored on this SPI flash chip as well.

If the attacker has physical access to a machine, he can disassemble it, locate the flash chip and read or write it using an external device to tamper with the firmware or the whitelist stored on this device.

After managing to authenticate a malicious thunderbolt device, it is possible to access the main physical memory of the machine using DMA transfers over PCIe. This issue is known for some time and there are other countermeasures in place to prevent malicious DMA accesses. To restrict devices on a PCIe bus from accessing whatever memory they want, the system firmware or operating system can configure the IOMMU to restrict what memory regions can be accessed or not. This is the responsibility of the software running on the system which currently only mac OS seems to perform by default. Also as an IOMMU is a piece of hardware, it needs to be supported by the platform.

Possible mitigations against the attacks:

• Don’t let anybody disassemble your machine
  
• Disable the Thunderbolt controller completely in the BIOS – this means disabling the PCIe device, not only setting the security level to passthrough as this setting can be bypassed using the attack
  
• Only attach trusted devices to your machine
  
• Consult the documentation of your hardware and operating system how to configure the IOMMU correctly to prevent malicious DMA memory accesses

The key feature of this bug in @agalauner-r7’s assessment here is, “Don’t let anybody disassemble your machine.” I’m calling this issue “authenticated” because if you’re in a position to turn some screws on the case, you’re practically authenticated. :)