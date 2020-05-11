Recently a security researcher has discovered a security flaw in the Intel chips that control Thunderbolt ports that allows an attacker with physical access to a computer can reset the password of the user and access its content. This error, which affects all PCs, has little or no impact on Mac computers and we may wonder why.

A vulnerability dating back to 2012

The vulnerability that Björn Ruytenberg has discovered is, in fact, a combination of seven security flaws:

Inadequate firmware verification schemes.

Weak device authentication scheme.

Use of metadata from unauthenticated devices.

Downgrade attack using old compatibilities.

Use of unauthenticated driver configurations.

Shortcomings of the SPI interface.

Lack of ThunderBolt security in Bootcamp.

With these bugs an attacker, provided have physical access to a computer, you can carry out an intrusion that would give you access to the computer bypassing the lock screen.

Although these vulnerabilities have been present on Intel chips since 2011, each operating system handles device security differently. While Linux and Windows computers are vulnerable to this attack, Mac computers are virtually unscathed.

I have a Mac, is the computer safe?

The short answer is that yes. The computer is totally immune to attack.

The long answer, thanks to our colleague Julio César Fernández from Apple Coding, is somewhat more complex. In 2014 an exploit was discovered that was called BadUSB. It was a PenDrive that, when connected to a computer, emulated a keyboard and managed to inject instructions and compromise the machine. At that time the Macs were already invulnerable to this attack and the reason for this is that the Macs use a tool to virtualize the memory that is accessed via DMA (Direct Memory Access) using Thunderbolt. Thanks to this virtualization, prevents real memory addresses from being known from the rest of the equipment and that, therefore, this memory can be overwritten to launch the exploit.

Now with Thunderspy, even if the attack itself is unsuccessful, DMA virtualization protection is compromised. At a conceptual level we could say that to use first Thunderspy “followed” by an attack through BadUSB would be able to reset the password of a user, although the technical implementation, which would have to be developed specifically, has a very important stumbling block: if the computer is locked the attack cannot succeed.

As soon as we read about Thunderspy and BadUSB we will see that some media say that Macs are vulnerable and others that they are not. In a nutshell, the situation is as follows: if the Mac is not unlocked at the time of resetting the user’s password, the attack has no effect. Therefore, although tactically it is a vulnerability, its actual effect is close to zero, and all thanks to the protections that Apple implements in the operating system. On the other hand, it is true that resetting a user’s password gives access to much more information on an unlocked computer, such as keychain passwords, for example.

I use BootCamp on my Mac, what is the situation then?

We should be aware that the fault is, in fact, in the port. The issue is, in summary, that the port has its own security system and this attack manages to compromise this system. Then when the operating system communicates with that port, the system vulnerability depends on trust in the information received from the port. The macOS operating system, which treats the port as an untrusted device, is therefore immune to attack thanks to memory virtualization.

What happens then with BootCamp? If at the time of the attack, the Mac is logged in to BootCamp, even if the session is locked with a password, the attack is capable of unlocking the computer.

As Apple has expressed in response to the investigator who has informed them of the vulnerability, computers with macOS are resistant to attack:

Some of the hardware security features you have described are only available when users are not running macOS. If users are concerned about any of the problems in their research, we recommend that they use macOS.

It should be noted that carrying out this type of attack, either on a Mac or Windows computer, requires that the person responsible remove the back cover of the computer, connect some cables and use another computer to carry out the attack. In other words, it is not something that can happen if you leave your computer unattended in a cafeteria for a couple of minutes.

Given what has been seen, it is clear that the many security systems that Apple implements in its computers, both at the hardware level and the T2 or T1 chip, both at the software level, make Macs resistant to Thunderspy and many other attacks that have been appearing over time.