Over the last couple of weeks, there have been a number of reminders that any device that plugs into a computer port can be a hazard. This is even truer when the device plugs into an actively powered port, like USB. A few weeks ago, a flaw was demonstrated that showed that a USB cable could easily be made to create an opening for remote hacking into a system. The flaw is called BadUSB and was actually discovered years ago. Only recently, however, was the flaw applied to anything other than storage devices.
This week, a similar flaw was discovered that affects Thunderbolt devices, rather than traditional USB. This discovery comes care of research conducted between the Department of Computer Science and Technology at the University of Cambridge, Rice University and SRI International. The more creatively named Thunderclap bypasses Input-Output Memory Management Units over Thunderbolt over USB-C, otherwise known as Thunderbolt 3. According to the report,
An essential insight is that, while IOMMUs allow peripheral devices to be constrained, the DMA interface between device drivers and peripherals is a porous and complex attack surface that malicious actors can manipulate to influence software behavior and trigger vulnerabilities.
All of this underscores a recurring problem: insecure innocuous items. Over the years, we've seen a number of seemingly safe devices and software turn out to be just the opposite. The most obvious situation is mobile apps that pretend to be games and productivity software, but actually, steal your data and upload them to remote servers. Less obvious, but potentially more dangerous, are phone charging stations, like what you see at the airport. It is possible to place a Raspberry Pi inside of the charging station designed specifically to read data over the USB port on your phone.
The important thing to remember is, don't plug your device, either computer, phone, or tablet, into anything you do not trust entirely. Purchase USB cables and flash drives from known brands. Don't charge your phone on someone else's plug - always use your own environment or a Qi charger. Your privacy and security are not worth the slight savings you might receive.