‘Thunderclap’ collection of hardware vulnerabilities affects Mac, Windows, Linux systems

Many modern computers are vulnerable to a number of security flaws that could exploit a machine’s Thunderbolt connection to its network cards, keyboard, computer charger or other peripheral devices.

Many modern computers running Mac, Windows or Linux operating systems are vulnerable to a number of security flaws that could exploit a machine’s connection to its network cards, keyboard, computer charger or other essential peripheral devices, according to research published this week from a team of computer scientists.

The vulnerabilities, which require physical access to a computer, are known collectively as “Thunderclap.” They leverage operating system design flaws in what’s known as a Thunderbolt interface, a common piece of hardware that allows outside devices to connect to a machine.

Researchers revealed this week at the NDSS 2019 security conference that “all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook. Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected[.]”

The Thunderclap vulnerability could allow an attacker with access to a machine to execute commands at a computer’s highest privilege level, potentially accessing “passwords, banking logins, encryption keys, private files, browsing and other data.”


Attacks can compromise computers within a few seconds, according to a team of researchers from the University of Cambridge, Rice University and SRI International. While most laptops and desktop computers functioning today have controls in place to protect their storage from intruders, the team found a design issue in Thunderbolt that authorizes an operating system to grant an outside devices with memory access.

Researchers first discovered Thunderclap in 2016 and have been working with technology companies to patch the issues in the years since, though most issues remain unresolved.

The computer scientists provided an update about where each company’s updates stand this week on a Thunderclap information page. In general, the group said platforms are “insufficiently defended” and advised users not to connect any devices they do not trust.

The following updates are reproduced directly from the Thunderclap information page:

“In macOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to achieve a root shell. However the general scope of our work still applies; in particular that Thunderbolt devices have access to all network traffic and sometimes keystrokes and framebuffer data.”


“Microsoft have enabled support for the IOMMU for Thunderbolt devices in Windows 10 version 1803, which shipped in 2018. Earlier hardware upgraded to 1803 requires a firmware update from the vendor. This brings them into line with the baseline for our work, however the more complex vulnerabilities we describe remain relevant.”

“Recently, Intel have contributed patches to version 5.0 of the Linux kernel (shortly to be released) that enable the IOMMU for Thunderbolt and prevent the protection-bypass vulnerability that uses the ATS feature of PCI Express.”

“The FreeBSD Project indicated that malicious peripheral devices are not currently within their threat model for security response. However, FreeBSD does not currently support Thunderbolt hotplugging.”

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts