Security Issues with Thunderbolt 2 and 3

[honestone33]

Just saw this:

Major security flaw found in Thunderbolt Macs and PCs: Should you be worried?

A series of vulnerabilities in Thunderbolt 2 and 3, collectively called 'Thunderspy,' can leave your Mac open to hacking.

www.macworld.com

Fortunately, most of my peripherals are connected to my Mac Mini via USB 3, and the Samsung Monitor is connected via HDMI. For my MacBook Air, only use USB 3.

And I don't use Boot Camp (nor any other kind of Windows emulator software).

So, it seems the biggest risks occur when 1) one uses Boot Camp, or 2) leaves their laptop unattended. I of course do neither.

Be careful out there!

 

[chabig]

It's not as much of a problem for Macs as for PCs. But really, your laptop is never unattended? How do you sleep at night?

 

[honestone33]

It's not as much of a problem for Macs as for PCs. But really, your laptop is never unattended? How do you sleep at night?

Both of my machines are off while I am sleeping. In fact, except for some occasional use before I sleep, my laptop is off. Also, most of the time I am using my Mac Mini. But I always shut it down when I am done using it. No sense taking stupid risks!

 

[casperes1996]

As you can read in the article, it requires physical access to the device, and putting a malicious device into the Thunderbolt port that has its payload in the firmware ROM that communicates with the Thunderbolt protocol to write straight to memory without going through the MMU on the CPU.
So whether you turn the computer off or not is irrelevant since I'm pretty sure anybody who's close enough to plug a device into it with a malicious firmware ROM is also close enough to press the power button.

It should also be noted that Macs with the T2 chip running macOS should not really be affected by this at all; See Apple's talk at BlackHat for details

 

[Unregistered 4U]

2) leaves their laptop unattended

That’s pretty much the whole story. Physical access to your computer, Boot Camp or not, is the largest security risk.

 

[honestone33]

As you can read in the article, it requires physical access to the device, and putting a malicious device into the Thunderbolt port that has its payload in the firmware ROM that communicates with the Thunderbolt protocol to write straight to memory without going through the MMU on the CPU.
So whether you turn the computer off or not is irrelevant since I'm pretty sure anybody who's close enough to plug a device into it with a malicious firmware ROM is also close enough to press the power button.

It should also be noted that Macs with the T2 chip running macOS should not really be affected by this at all; See Apple's talk at BlackHat for details

For now, the laptop is "permanently" in our town home, and unless a thief breaks in (extremely unlikely), when it's off, it's safe. And even when it's on, I am using it.

When we travel, I watch the laptop like a hawk, and again unless something malicious happens, I insure its safety.

I am well aware of how to take care of the machine.
[automerge]1589250528[/automerge]

That’s pretty much the whole story. Physical access to your computer, Boot Camp or not, is the largest security risk.

Exactly!

 

[casperes1996]

For now, the laptop is "permanently" in our town home, and unless a thief breaks in (extremely unlikely), when it's off, it's safe. And even when it's on, I am using it.

When we travel, I watch the laptop like a hawk, and again unless something malicious happens, I insure its safety.

I am well aware of how to take care of the machine.

I think you missed my point. Point wasn't that I expected people to plug things in and press the power button. - Point was that; At least for what concerns the Thunderbolt issue you referred to, there's no need to turn it off at night - I haven't turned off my Mac in about 2 months now. My web server was rebooted today but prior to that had been running for edging towards half a year.

 

[Ambrosia7177]

I think you missed my point. Point wasn't that I expected people to plug things in and press the power button. - Point was that; At least for what concerns the Thunderbolt issue you referred to, there's no need to turn it off at night - I haven't turned off my Mac in about 2 months now. My web server was rebooted today but prior to that had been running for edging towards half a year.

If you aren't actively using your Mac online, then you should disconect it from the Internet/your netowrk.

I only use Wi-Fi, so when I go to bed I turn off the Wi-Fi, although I tend to leave my Mac running for weeks on end before rebooting.

If you are connected to the outside world, then it's a way for someone to get onto your computer if it's still running...

 

[honestone33]

I think you missed my point. Point wasn't that I expected people to plug things in and press the power button. - Point was that; At least for what concerns the Thunderbolt issue you referred to, there's no need to turn it off at night - I haven't turned off my Mac in about 2 months now. My web server was rebooted today but prior to that had been running for edging towards half a year.

But I do not require my machine to be on all night, which I suspect quite a few folks are in the same situation. Why have my machines turned on when I am not using them, and especially while I am sleeping? That's my point.
[automerge]1589254010[/automerge]

If you aren't actively using your Mac online, then you should disconect it from the Internet/your netowrk.

Thank You!

I only use Wi-Fi, so when I go to bed I turn off the Wi-Fi, although I tend to leave my Mac running for weeks on end before rebooting.

I only use my Mac Book Air via WiFi, but again it's not that often, and when I use it for a little while before I sleep, I shut it down, and turn it off. I use my Mac Mini via an Ethernet connection to my router, which is connected to my modem, which is plugged into an outlet. When I am done using the Mini, I again shut down, and turn it off.

 

[Ambrosia7177]

But I do not require my machine to be on all night, which I suspect quite a few folks are in the same situation. Why have my machines turned on when I am not using them, and especially while I am sleeping? That's my point.
[automerge]1589254010[/automerge]

Thank You!

You are a better man (or woman) than me when it comes to the environment.

But from a purely IT standpoint... Why leave on my Macs? Because having to save/bookmark/etc everything I do each day, and then reboot, log in, turn on all of my apps and log into everything, and get back to where I was yesterday would take me at least 20 minutes each day and that is unacceptable.

When my Macs are asleep, I don't suspect they use that much energy, but again, you are more envirnmentally friendly.

I only use my Mac Book Air via WiFi, but again it's not that often, and when I use it for a little while before I sleep, I shut it down, and turn it off. I use my Mac Mini via an Ethernet connection to my router, which is connected to my modem, which is plugged into an outlet. When I am done using the Mini, I again shut down, and turn it off.

As long as you turn off your Wi-Fi or unplug your ethernet cable, then you are safe from the outside world, minus physical intruders or untrustworthy roommates.

Leaving your Mac turned on, but logged out, and physically disconnecting from the Internet/network should be fine. (Powering down your Mac also wills ave energy and wear-n-tear, though.)

 

[satcomer]

You are a better man (or woman) than me when it comes to the environment.

But from a purely IT standpoint... Why leave on my Macs? Because having to save/bookmark/etc everything I do each day, and then reboot, log in, turn on all of my apps and log into everything, and get back to where I was yesterday would take me at least 20 minutes each day and that is unacceptable.

When my Macs are asleep, I don't suspect they use that much energy, but again, you are more envirnmentally friendly.




As long as you turn off your Wi-Fi or unplug your ethernet cable, then you are safe from the outside world, minus physical intruders or untrustworthy roommates.

Leaving your Mac turned on, but logged out, and physically disconnecting from the Internet/network should be fine. (Powering down your Mac also wills ave energy and wear-n-tear, though.)

Yea but Power Nap needs to be shut off!

 

[casperes1996]

If you aren't actively using your Mac online, then you should disconect it from the Internet/your netowrk.

I only use Wi-Fi, so when I go to bed I turn off the Wi-Fi, although I tend to leave my Mac running for weeks on end before rebooting.

If you are connected to the outside world, then it's a way for someone to get onto your computer if it's still running...

I have a firewall; I hope you do too. Inbound connections on anything other than port 522 will be dropped, and anything on port 522 requires an RSA-2048 key to get in

 

[Ambrosia7177]

Yea but Power Nap needs to be shut off!

Interesting link, but I said to turn off your Wi-Fi or disconnect your Internet and/or network, so if you did that, PowerNap wouldn't cause any issues because you would be shut off from the outsdie world...
[automerge]1589301271[/automerge]

I have a firewall; I hope you do too. Inbound connections on anything other than port 522 will be dropped, and anything on port 522 requires an RSA-2048 key to get in

I use macOS's built in firewall.

Some day, I'll learn how to customize it, but haven't had time to learn that.

Since I only use Wi-Fi, I am unable to take advantage of a hardware firewall - well unless I set up my own network and hotspot in addition to the hotspot I connect to.

 

[casperes1996]

Since I only use Wi-Fi, I am unable to take advantage of a hardware firewall - well unless I set up my own network and hotspot in addition to the hotspot I connect to.

Most routers have firewall capabilities

 

[honestone33]

You are a better man (or woman) than me when it comes to the environment.

But from a purely IT standpoint... Why leave on my Macs? Because having to save/bookmark/etc everything I do each day, and then reboot, log in, turn on all of my apps and log into everything, and get back to where I was yesterday would take me at least 20 minutes each day and that is unacceptable.

If you are not periodically saving important items, then you are creating a risk. While leaving the machine on so that you can "easily" get back to where you were yesterday seems convenient, what happens if your machine crashes? Without periodically saving items, they are gone.

Still say it is wiser, safer, and environmentally better to shut down and shut off the machine. On the other hand, if your job requires you to be able to respond to a crisis immediately, then leaving the machine on makes sense. But again, for most of us, that is not the case.

When I was still working and on call, there was never a crisis I needed to respond to immediately, so starting up my machine (with everything previously saved) did not cause much, if any, of a delay for me to respond.

When my Macs are asleep, I don't suspect they use that much energy, but again, you are more envirnmentally friendly.

If you want your electric bill to be higher, go for it. Not me, especially given it is never necessary for me to leave either of my machines on unattended.

As long as you turn off your Wi-Fi or unplug your ethernet cable, then you are safe from the outside world, minus physical intruders or untrustworthy roommates.

I'd rather be safe then sorry (besides the smart environmental aspects).

Leaving your Mac turned on, but logged out, and physically disconnecting from the Internet/network should be fine. (Powering down your Mac also wills ave energy and wear-n-tear, though.)

Again, complete waste of electricity, and possibly some risk, especially when it is not necessary at all.

 

[Ambrosia7177]

Most routers have firewall capabilities

I live on the road as a consultant and am in a hotel. No router!
[automerge]1589308074[/automerge]

If you are not periodically saving important items, then you are creating a risk. While leaving the machine on so that you can "easily" get back to where you were yesterday seems convenient, what happens if your machine crashes? Without periodically saving items, they are gone.

Who says that I don't save stuff?

Nothing personal, but you sound navie as a computer user.

I run a business and am part develoepr, part researcher, part journalist. And I focus on security.

Do you realize how long it takes me to log into everything and find all of my work and bring everything up so I can use it? Easily 20 minutes.

I am NOT doing that everyday because as a Mac user, I don't have to. And when my Wi-Fi is off at night, and my mac is in hinernate mode, it probably uses less electricity than my alarm clock.

Still say it is wiser, safer, and environmentally better to shut down and shut off the machine. On the other hand, if your job requires you to be able to respond to a crisis immediately, then leaving the machine on makes sense. But again, for most of us, that is not the case.

No crisis mitigation, but saving my time, yes. (I get the same # of hours in a day as you, and there are not enough!)

When I was still working and on call, there was never a crisis I needed to respond to immediately, so starting up my machine (with everything previously saved) did not cause much, if any, of a delay for me to respond.

You obviously aren't working with things at the level I am.

If all I had to do was open email and a browser and a Word doc each day, then i would shut off each night.

Life isn't that easy for me...

If you want your electric bill to be higher, go for it. Not me, especially given it is never necessary for me to leave either of my machines on unattended.

I probably pay less than a $1 a month more for electricity leaving my macs in hibernate mode at night.

It's a non issue...

 

[casperes1996]

I live on the road as a consultant and am in a hotel. No router!

Fair enough, in that case I understand

I probably pay less than a $1 a month more for electricity leaving my macs in hibernate mode at night.

Way less I'd wager. My Mac uses less electricity when its asleep than my LED light bulbs do

 

[honestone33]

Who says that I don't save stuff?

Nothing personal, but you sound navie as a computer user.

I run a business and am part develoepr, part researcher, part journalist. And I focus on security.

Do you realize how long it takes me to log into everything and find all of my work and bring everything up so I can use it? Easily 20 minutes.

I am NOT doing that everyday because as a Mac user, I don't have to. And when my Wi-Fi is off at night, and my mac is in hinernate mode, it probably uses less electricity than my alarm clock.

No crisis mitigation, but saving my time, yes. (I get the same # of hours in a day as you, and there are not enough!)

You obviously aren't working with things at the level I am.

If all I had to do was open email and a browser and a Word doc each day, then i would shut off each night.

Life isn't that easy for me...

I probably pay less than a $1 a month more for electricity leaving my macs in hibernate mode at night.

It's a non issue...

First, where did I say that you don't save stuff? Where?

Secondly, I am not a naive computer user. I already mentioned above that I used to be on call, and would have to use my Mac to resolve issues during off hours.

You certainly sound like someone that is narrow minded. A number of the statements you made are either inaccurate (don't save stuff, not working at a level that you do, etc.), or have very little basis.

So, you have no crisis management, but when I was on call, there were times where the issue WAS a crisis.

And, $1 here, another $5 there, etc., adds up quite fast. But go ahead and be narrow minded, and spend all you want.

 

[Ambrosia7177]

First, where did I say that you don't save stuff? Where?

You certainly imply it here...

If you are not periodically saving important items, then you are creating a risk. While leaving the machine on so that you can "easily" get back to where you were yesterday seems convenient, what happens if your machine crashes? Without periodically saving items, they are gone.

Secondly, I am not a naive computer user. I already mentioned above that I used to be on call, and would have to use my Mac to resolve issues during off hours.

How long each morning does it take you to get up to speed where you left off yesterday on your computer?

You certainly sound like someone that is narrow minded. A number of the statements you made are either inaccurate (don't save stuff, not working at a level that you do, etc.), or have very little basis.

So, you have no crisis management, but when I was on call, there were times where the issue WAS a crisis.

And, $1 here, another $5 there, etc., adds up quite fast. But go ahead and be narrow minded, and spend all you want.

As I recall, you were asking for help about a potential security threat.

I offered a simple solution to mitigate that risk.

I also pointed out that you only need to focus on disconencting from the Internet, and NOT turning off your computer to protect against outside Internet threats.

I also stated that "I" do not shout down, and the reasons for not doing so.

You responded that it's not a big deal to shut down, and I stated that is a naive statement.

If you have to work with what I have to work with each day, it IS a big deal to shut down and start up every day. If you have the time to do that, then it's your chocie. But for me it is foolish, and it doesn't put my data at risk and it doesn't amount to a hill of beans as far as energy usage.

Those are the facts.

How you choose to work is up to you.

 

[casperes1996]

If you have to work with what I have to work with each day, it IS a big deal to shut down and start up every day. If you have the time to do that, then it's your chocie. But for me it is foolish, and it doesn't put my data at risk and it doesn't amount to a hill of beans as far as energy usage.

Interesting side-note on the electricity debate; If you need to launch a lot of things and spin up a lot of processes that need to initialize on launch, it can actually cost more electricity to shut down and relaunch all that then letting it sleep and not have the overhead of running all the launch scripts again.

But as for everything else, this thread seems to be devolving into a pointless fight, and I think we all should just leave it at your final note of:

How you choose to work is up to you.

 

[honestone33]

You certainly imply it here...

Man, can't you read? I said "If", which certainly does not mean, or infer, that you do not save things. Also, my statement is definitely accurate, but I guess you don't realize that.

How long each morning does it take you to get up to speed where you left off yesterday on your computer?

30 seconds, at the most.

As I recall, you were asking for help about a potential security threat.

I did not. I started this thread with the story that appeared on macworld. Nowhere did I ask for help. Man, you sure know how to make inaccurate/false statements!

I also pointed out that you only need to focus on disconencting from the Internet, and NOT turning off your computer to protect against outside Internet threats.

I also stated that "I" do not shout down, and the reasons for not doing so.

You responded that it's not a big deal to shut down, and I stated that is a naive statement.

I never demeaned you for not shutting down. That is your choice, and would suspect you have valid (valid for you) reasons. Yet, you chose to be narrow minded and said my statement was naive, which it clearly is not.

If you have to work with what I have to work with each day, it IS a big deal to shut down and start up every day. If you have the time to do that, then it's your chocie. But for me it is foolish, and it doesn't put my data at risk and it doesn't amount to a hill of beans as far as energy usage.

Those are the facts.

How you choose to work is up to you.

Fine. But the fact is you are narrow minded, and you make inaccurate/false statements, along with not understanding other points of view. Those are definitive facts, like it or not.
[automerge]1589338712[/automerge]

But as for everything else, this thread seems to be devolving into a pointless fight, and I think we all should just leave it at your final note of:

I can, but I suspect Texas_Toast is too narrow minded to do that.

 

[chabig]

Why have my machines turned on when I am not using them, and especially while I am sleeping?

Your body doesn't turn off (i.e., die) at night. It sleeps. Let your computer do the same.

 

[honestone33]

Your body doesn't turn off (i.e., die) at night. It sleeps. Let your computer do the same.

Don't ned to. Shutting it down, and then turning it off is the only way to go. The machine can then get a real good night's rest.

 

[casperes1996]

Your body doesn't turn off (i.e., die) at night. It sleeps. Let your computer do the same.

Computers aren't living creatures and don't die when you turn them off.

Don't ned to. Shutting it down, and then turning it off is the only way to go. The machine can then get a real good night's rest.

Conversely, computers also don't need "a good night's rest"

 

[honestone33]

Computers aren't living creatures and don't die when you turn them off.

Correct!

Conversely, computers also don't need "a good night's rest"

But it's still better to shut them down and turn them off.