Thunderbolt devices and security: why the CIA mightn’t like 10.12.4

Buried away in the details of each macOS update comes a long list of security fixes. One which caught my eye when I was looking through the list for Sierra 10.12.4 reads:

Available for: macOS Sierra 10.12.3
Impact: A malicious Thunderbolt adapter may be able to recover the
FileVault 2 encryption password
Description: An issue existed in the handling of DMA. This issue was
addressed by enabling VT-d in EFI.
CVE-2016-7585: Ulf Frisk (@UlfFrisk)

This explains why some Macs, when updated to 10.12.4, include an EFI update during that process.

The story behind this rather unusual vulnerability goes back – as far as we are allowed to know – to last summer. At the end of July 2016, Ulf Frisk, a security researcher in the banking sector, discovered that with the aid of a special Thunderbolt device known as a PCILeech, he could reveal the password for any Mac protected (if that was the right word) by FileVault encryption.

The Thunderbolt device was presented at DEF CON 24 on 5 August 2016, but Frisk was assiduous in not mentioning the FileVault vulnerability. He disclosed that to Apple ten days later, following which its security engineers confirmed the issue and asked Frisk to delay any disclosure, which he did.

macOS Sierra 10.12.2, released on 13 December, contained a fix for some models, but not all. Only with 10.12.4 – as tersely described in that security note – is the vulnerability fixed for all models.

Remember now the recent Wikileaks releases which claim to reveal vulnerabilities which were or are exploited by the CIA to ‘spy’ on targets. Key among them was the ‘Sonic Screwdriver’, another Thunderbolt device presented in public, at the 2012 Black Hat conference. Trammell Hudson’s first hand account of that remains worth reading.

In that case, Apple claims to have blocked the exploit in December 2015.

I suspect that in cupboards used by intelligence and security agencies around the world, Thunderbolt devices are being moved towards the back of the shelves. There are – and will be – further vulnerabilities which will be exploited to try to circumvent FileVault and other security mechanisms. But Apple continues to improve our protection.