Hardly a month goes by without the disclosure of a new security vulnerability that could deeply compromise computers, so the latest revelation — weaknesses in the high-speed Thunderbolt and PCI Express interfaces used by Macs and PCs — is par for the course at this point. But the depth of this just-disclosed issue is troubling enough that Linux, Mac, and Windows users should be aware of the consequences of leaving their older machines unpatched.
Research presented this week by the University of Cambridge’s Security Group suggests that both the Thunderbolt and PCI Express interfaces were providing peripherals with virtually unrestricted memory access on Macs and PCs, enabling a rogue device to do anything from injecting software to grabbing passwords or private files from a computer. A malicious peripheral could simultaneously perform its promised functions while snooping on the user or taking control of the machine.
Thunderbolt previously had its own connector type that clearly distinguished its cables and peripherals from USB alternatives. But the latest version, Thunderbolt 3, shares the same USB-C connectors used in most current-generation PC and Mac peripherals; it is now used in almost all of Apple’s products, and some PC laptops. PCI Express add-ons are generally desktop- and server-specific.
According to the researchers, a defense mechanism that would have limited full memory access was unsupported by Microsoft’s Windows 7, 8, 10 Home, and 10 Pro, with limited support in 10 Enterprise, and support disabled by default in Linux. Apple’s macOS supported the defense mechanism out of the box, but even a defended macOS machine could be forced to launch arbitrary apps and allow other peripherals — say, typing on a USB keyboard — to be monitored.
Though the researchers say they’ve been working with vendors to mitigate the vulnerabilities since 2016, software patches have been uneven across platforms. Apple apparently fixed the aforementioned issue in macOS 10.12.4 in 2016, but Microsoft took until April 2018 to fix the Thunderbolt (but not PCI Express) vulnerabilities in Windows 10, leaving machines prior to version 1803 susceptible to attack. Fixes to Linux are included in kernel 5.0, which is nearing final release.
Users are advised to take two precautions: Update your computer to the latest Linux, macOS, or Windows 10 release, and “be cautious about attaching unfamiliar USB-C devices … especially those in public places.” Despite the patches, the researchers suggest that there is “very plausible” potential for the exploit to be used in seemingly normal charging stations or displays that can take control of connected and unprotected machines.