Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

The situation hasn't improved significantly in the years since the same vulnerability appeared with Firewire.

There are so many ways to mitigate or stop this, and keep the user in control. Android, at least, knows to prevent privileged device connections with the screen locked.



This device management functionality is also available for linux desktops and best combined with enabling the IOMMU at boot time.

https://gitlab.freedesktop.org/bolt/bolt

It also seems to be available on most distros.

https://pkgs.org/download/bolt


The same vulnerability goes back even farther with nearly all 90's laptops having one or more PCMCIA/PC Card/CardBUS slots.


Or when they had mini-PCI/mini-PCIe slots under a cover on the bottom for network cards etc.

As it says in the article, it can also be done with desktops where you can just pop off the case panel and plug a malicious device into the PCIe bus.

I think the biggest issue with Thunderbolt specifically is that it works over the USB-C port that is also used for charging - so you could make a device that looks like a charger but also attacks the device (maybe with a cellular modem in it to exfiltrate data or something!), making it way easier to trick users to plug it in themselves.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: