Hello everybody,
I have been thinking about the risks involved using different kinds of
dock or dockingstation.
[I'll recap what I think I found out about the docking situation, skip
if you know how docks, usb type c and DMA works]
Most business notebooks have proprietary docking connectors, like the
traditional connector on the underside of notebooks or the big connector
on the sides of some newer, thinner notebooks.
These seem to be just "breakout connectors", like routing the signals of
an internal usb or display adapter to the outside. Nothing with DMA
seems to be on the outer side of the notebook. I checked on a Lenovo
machine with an "onelink" connector, and couldn't see any new pci devices.
Now more and more notebooks come with a usb type c connector as an
universal connector. This by itself only defines the physical conenctor,
not the protocol used. There are two kinds: usb 3 and thunderbolt. Both
protocols allow alternate modes, where some pins of the cable are used
for power, video or other signals.
The first case, with usb 3, could be a monitor which connects to the
notebook with that one usb type c cable, receives usb & video & audio
from the notebok and charges it simultaneously.
With thunderbolt all of this is possible too, in addition you have two
pcie lanes. With this, you could theoretically connect any device,
including desktop grafic adapters for example.
Also, pcie has DMA, direct memory access, where a device can
"physically" read and write the entire memory, on a level below regular
operating system or cpu intervention.
This, if course, is a huge and nasty security risk.
Attacks via DMA were demonstrated via firewire for example, where a
firewire device plugs in, reads the memory, and extracts encryption
passwords right away. Potentially completely unnoticed too. Thank you,
invisible things lab, for your spearhead work on this topic.
[/recap]
Regular dockingstations don't seem to be a huge security problem,
besides the old "I trust my usb-vm with all keystrokes".
Any pcie or other DMA bus reachable from outside has huge security
problems though.
- Can DMA be tamed completely? Wikipedia [1] suggests IOMMU can limit
DMA. As I understand it, Qubes currently does not protect against a
malicious DMA device?
- Can an entire PCI bridge, which has thunderbolt or an express card or
any other DMA connector-to-the-outside be assigned to a VM, even with no
device connected yet? At least 2012 it didn't seem possible [2] at all.
More recently, trials with thunderbolt were done [3]. As I read it,
thunderbolt itself works, USB makes more problems with assigning. DMA
wasn't scope on that thread.
- Can PCI bridges be deactivated/reactivated on-the-fly? Like, asking
for confirmation when a device is connected, or deactivating the bridge
when the screen is locked?
- It seems like (thunderbolt) dockingstations with ethernet will all
connect it via usb. So I would have to trust my usb-vm with both my
unencrypted keystrokes and "physical" network traffic. In worst case all
on the same usb hub too. Can such a machine be reasonably secure at all?
- Is thunderbolt a complete no-go from a security perspective?
- Are we preparing for a world where most new notebooks only have a usb
type c conector, and maybe one, two other ports?
Stickstoff
[1]
https://en.wikipedia.org/wiki/DMA_attack
[2]
https://groups.google.com/forum/#!topic/qubes-devel/zkPTk4tjWBM
[3]
https://groups.google.com/forum/#!topic/qubes-users/uk11tSeu5yU
https://groups.google.com/forum/#!topic/qubes-users/xbtacWEVt7g