, 9 tweets, 2 min read Read on Twitter
Note that we hackers have been using DMA attacks since the 1990s, starting with Firewire devices. While these "Thunderclap" attacks are new innovations, the basic concept has been around for a long time.
appleinsider.com/articles/19/02…
2/ DMA means "direct memory access", it means the hardware copies data to/from memory, bypassing the CPU, bypassing software drivers. In theory, a device on a DMA-capable port has full access to memory.
3/ To prevent this, modern computers now have IOMMUs, similar to the older "MMU", the "memory management unit", the feature of modern CPUs that prevents user-mode apps in the operating system from messing with kernel memory. IOMMU is just an I/O version of the MMU.
4/ IOMMUs can be expensive in some cases, so even though they exist in the hardware, they may not be enabled by the operating system or the driver. Part of this is technology evolution, it'll be a while before IOMMUs are a natural part of the system instead of a wart.
5/ Even with an IOMMU preventing arbitrary access to the system, the remaining parts of memory exposed to the hardware still provide enough of an attack surface to exploit. It's highly selective, targeting individual components one by one.
6/ What's going on here is that what they've done is simply layered the PCIe bus on top of the USB cable. PCIe was designed to be an INTERNAL way of adding things like Ethernet cards and graphics cards, where you implicitly trust the hardware. It wasn't designed for external.
7/ Now we've exported PCIe across the cable so any external device can hack you. It means when you plug in the cable for video when presenting at DEF CON, the projector can hack you back.
8/ It's not just USB. PCIe has also been added to the spec for microSD cards. In the future, sticking a microUSB card into your computer to transfer files may hack your machine in exactly the same way.
9/ BTW, I mentioned this back in 2011 when Thunderbolt was first added to Macs, though only from a theoretical perspective. The way Thunderclap messes with exposed Ethernet driver regions is something I didn't anticipate.
blog.erratasec.com/2011/02/thunde…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵉʳᵗ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!