SP605 fits just perfect into it's HighPoint Thunderbolt 2 enclosure 👌
Finally can check how good IOMMU is configured on Apple machines pic.twitter.com/h7dJ7wf6bD— Dmytro Oleksiuk (@d_olex) July 15, 2017
An interesting finding while playing with PCI-E on OS X: different Thunderbolt devices can access the same DMA buffers mapped by IOMMU [1/2] pic.twitter.com/TbMSYhkl1F
— Dmytro Oleksiuk (@d_olex) July 15, 2017
It's HTTP traffic that going over my Thunderbolt to Ethernet adapter, it was intercepted by FPGA connected to other Thunderbolt port [2/2]
— Dmytro Oleksiuk (@d_olex) July 15, 2017
Yay, evil Thuderbolt device also can access I/O buffers of disk controller which talks to internal SSD of my MacBook Pro pic.twitter.com/nsqUJa6brN
— Dmytro Oleksiuk (@d_olex) July 15, 2017
By the way, I have enabled FileVault which encrypts that SSD, but rogue device somehow is able to see unencrypted filesystem data 😬 #wtf pic.twitter.com/VV6Qo0Y7Hn
— Dmytro Oleksiuk (@d_olex) July 15, 2017
This issue is confirmed for fully patched OS X Sierra, even physical locations of DMA buffers are the same [1/x]https://t.co/2tWLt3rZoD
— Dmytro Oleksiuk (@d_olex) July 16, 2017
OS X offers improper IOMMU support which isolates PCI-E devices from OS, but not from I/O buffers of each others [2/x]
— Dmytro Oleksiuk (@d_olex) July 16, 2017
So, evil PCI-E device can intercept and modify the data which going over your network card or disk controller [3/3] https://t.co/5D3zTcM9Os
— Dmytro Oleksiuk (@d_olex) July 16, 2017
Yes, boot chain level attack is related only for Macs because technically they doesn't have secure boot
— Dmytro Oleksiuk (@d_olex) July 16, 2017
Device still can poison the data of some binary, script or config file to gain code exec at OS level, FileVault doesn't helps
— Dmytro Oleksiuk (@d_olex) July 16, 2017