Security Pierced By The Thunderbolt

The introduction of the Thunderbolt port on the new MacBooks was one of the top news of the past week. The technology behind the Thunderbolt is called Light Peak and comes from Intel as a potential replacement of the aging USB standard. Thunderbolt is fast, up to 10 Gigabits full duplex, or some 20 times the speed of the current USB 2.0. More than an order of a magnitude. To put the number in some context: a 60 frames per second, 24-bit color full HD video stream is 2M pixels times 24 bits times 60 fps, what equals to about 3Gbps. So using the Thunderbolt we can have two such video streams (for fast, high resolution, stereoscopic video) and we still have 4Gbps of bandwidth to spare for things like a gigabit Ethernet and about six high speed USB 2.0 streams, whatever they may carry. All using a single cable.

Thunderbolt differs from USB in one significant aspect. USB is a master - slave protocol. Usually the computer is the master, controlling the connection and peripherals are slaves. With Thunderbolt, both sides are equal. Or peers, in a very similar fashion to FireWire. Peer to peer topology allows daisy chaining the devices and does not require hubs. Which is nice. What is not necessarily nice, is the fact any side of the connection can be the master. To speed the I/O operations, Thunderbolt bypasses the CPU, using DMA transfers instead. DMA means direct access to memory. Which is fast, but without any extra security layers, is very dangerous. Using the Thunderbolt port, a peripheral device can have direct access to computer's memory.

Whatever security layers you have in place, they either guard the access to your operating system or to your storage. Whatever sits in memory, is already unencrypted. Processors cannot work on encrypted memory content. So all your sensitive data, your keys, passwords etc are usually stored on the computer in an encrypted form, but once loaded to the memory, they are plain text. So now Apple with Intel introduce this very fast I/O port, which gives peripherals direct access to the unencrypted memory, bypassing all security invented so far. With 10Gbps speed, a snapshot of the entire 4GB of your computer's memory can be done in about three seconds. So imagine a memory dongle I give to you with some files you have just asked for. You plug it in, three seconds and bam!, the entire working context of your machine is on the dongle. Imagine plugging your new MacBook to a conference room display or projector, equipped with a rouge device, capable of snapshoting your machine in three seconds. You are helpless.

Of course there are potential ways to plug the security hole the Thunderbolt port introduces. With assistance of some clever hardware there may be some areas (transfer buffers) of the memory preselected for the Thunderbolt to have access to. There should also be some form of hardware - assisted, certificate - based device authentication. But there is none today.

What I really cannot believe, in the year 2011, when we are so aware of potential computer security threats, two indisputable leaders in computer technology, Apple and Intel, introduce a brand new technology, that violates the very basic principles of security. Connecting a machine to a peripheral over the Thunderbolt port feels like getting online with Windows 95 and Internet Explorer 1.0 with ActiveX controls and all sorts of scripting enabled. Three seconds until they get you. Or less.