To attack my MacBook Air in the DEF CON demo I used a Sonnet Echo ExpressCard Thunderbolt 2 to ExpressCard adapter together with a PCILeech ExpressCard.
I also got a Thunderbolt 3 to Thunderbolt 2 adapter from Startech and I wanted to try it on the NUC to see if it's possible to use it for DMA attacks, or if Thunderbolt has been secured. The setup looks like this: NUC -> Startech TB3 to TB2 adapter -> Sonnet TB2 to ExpressCard adapter -> PCILeech ExpressCard.
There exists a BIOS setting for the Thunderbolt Security Level. The default setting is Unique ID. The other possible security levels are Legacy Mode, One time saved Key and DP++ only. The Legacy Mode is of special interest when it comes to DMA attacking.
Thunderbolt Security Level in BIOS - Unique ID is the default. |
It was not possible to access memory before the OS started - when the computer was still in BIOS/UEFI mode. The PCILeech device wasn't initialized at all.
It was not possible to access memory in Linux. Ubuntu detected that the Sonnet Echo ExpressCard adapter was connected but there was a lot of error messages; probably due to lack of driver support. No driver was installed in this test.
Error messages when connecting the Sonnet Echo ExpressCard adapter to the Startech adapter. |
When the Sonnet Echo ExpressCard Thunderbolt 2 to ExpressCard adapter was connected Windows popped up a prompt asking to approve the adapter. Administrative privileges was required to approve the Sonnet Thunderbolt 2 to ExpressCard adapter. It seems like the Thunderbolt 3 to Thunderbolt 2 adapter from Startech is transparent in this setup - while the Sonnet adapter is not. The Sonnet adapter was approved by the logged on administrator.
Approve Thunderbolt Devices administrative box. |
On the other hand if you are just running Windows 10 and never connected a PCI Express adapter, like the Sonnet Echo ExpressCard, you should be secure.
Thunderbolt 3 in Legacy Mode
Just like previously it was not possible to access memory before the OS started - when the computer was still in BIOS/UEFI mode. The PCILeech device wasn't initialized at all.
Dumping 32GB memory over USB-C/Thunderbolt 3 on Ubuntu 16.04 LTS. |
Accessing the memory of a Windows 10 system also works if the Thunderbolt Security Level is set to Legacy Mode. It is possible to access the memory of a Windows 10 system by just plugging in the adapters and the PCILeech device - no drivers are required on the target system - it just works! There was no need to install the Intel Thunderbolt drivers in order to access the memory.
Windows 10 system shell spawned over Thunderbolt 3. |
Other
The setup was incompatible with the other two remaining Thunderbolt Security Levels.
Not all USB-C connectors support Thunderbolt 3.
Not all USB-C connectors support Thunderbolt 3.
The default Thunderbolt security settings are secure - unless you approve a Thunderbolt to PCI Express adapter like the Sonnet Echo ExpressCard.
Also set a BIOS password to prevent an attacker to change into Legacy Mode without you noticing.