Would you mind explaining more about your job?
No, Bootcamp enabled operating systems do not have the same protections as MacOS on the very same hardware. Apple says to use MacOS if you want (IOMMU+kDMA) security protections.
ssh uses asymmetric keys and the cache on the client has a three tuple (host,ip,public key) which allows a client to notice a difference in any of the three elements. By comparison, Thunderbolt leaks the entire secret…
Yes. With MacOS and Thunderbolt 3 devices on Apple hardware the IOMMU is used as expected. This should handle DMA attacks when booted into MacOS. An important caveat: the IOMMU alone will not handle every other issue…
After the device is connected, use looks like a key consistency aware system like an ssh client. It is as you note very different in the first protocol run. To extract the device secret value, an attacker needs to…
Have you documented or published any of your Thunderbolt reverse engineering efforts?
Many smaller devices do not require tools and are trivial to clone. Any of the victim devices will do. It's not only useful to attack a target computer. Device identifiers and capabilities are not bound to the security…
That isn't entirely accurate. The ability to clone a given device state gives access to any system which has authorized that cloned device. A borrowed thunderbolt device which is not the target machine may also be used…
It is not like ssh at all. It is a problem that secrets are kept in the flash and it is also a problem that those secrets are sent over the untrusted channel.
This only holds for Macbooks running MacOS. It will not be protected by the IOMMU if the system uses Bootcamp with Windows or another operating system such as Linux.
Would you mind explaining more about your job?
No, Bootcamp enabled operating systems do not have the same protections as MacOS on the very same hardware. Apple says to use MacOS if you want (IOMMU+kDMA) security protections.
ssh uses asymmetric keys and the cache on the client has a three tuple (host,ip,public key) which allows a client to notice a difference in any of the three elements. By comparison, Thunderbolt leaks the entire secret…
Yes. With MacOS and Thunderbolt 3 devices on Apple hardware the IOMMU is used as expected. This should handle DMA attacks when booted into MacOS. An important caveat: the IOMMU alone will not handle every other issue…
After the device is connected, use looks like a key consistency aware system like an ssh client. It is as you note very different in the first protocol run. To extract the device secret value, an attacker needs to…
Have you documented or published any of your Thunderbolt reverse engineering efforts?
Many smaller devices do not require tools and are trivial to clone. Any of the victim devices will do. It's not only useful to attack a target computer. Device identifiers and capabilities are not bound to the security…
That isn't entirely accurate. The ability to clone a given device state gives access to any system which has authorized that cloned device. A borrowed thunderbolt device which is not the target machine may also be used…
It is not like ssh at all. It is a problem that secrets are kept in the flash and it is also a problem that those secrets are sent over the untrusted channel.
This only holds for Macbooks running MacOS. It will not be protected by the IOMMU if the system uses Bootcamp with Windows or another operating system such as Linux.