Skip links

Modern computers are vulnerable to malicious peripheral devices


About the Thunderclap vulnerabiltiies

The Thunderclap vulnerabilities are security flaws that affect the way modern computers interact with peripheral devices such as network cards, storage, and graphics cards. These vulnerabilities allow an attacker with physical access to a Thunderbolt port to compromise a target machine in a matter of seconds, running arbitrary code at the highest privilege level and potentially gaining access to passwords, banking logins, encryption keys, private files, browsing and other data. Attacks exploiting these vulnerabilities can also be carried out by seemingly innocuous peripherals like chargers and projectors that correctly charge or project video but simultaneously compromise the host machine.

The Thunderclap platform is a hardware/software stack for research into the security of computer peripherals and their interaction with operating systems. It was used to discover the Thunderclap vulnerabilities and develop proof-of-concept exploits.

The Thunderclap platform as well as a number of Thunderclap vulnerabilities and proof-of-concept attacks are described in:

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson. Proceedings of the Network and Distributed Systems Security Symposium (NDSS), 24-27 February 2019, San Diego, USA. BibTeX

More information about some of the experiments can be found in the following PhD thesis:

Exploitation from malicious PCI Express peripherals Colin Rothwell. University of Cambridge Computer Laboratory technical report UCAM-CL-TR-934.

The Thunderclap platform is open-source and available for researchers to build or extend:


Have a question?

Technical details of the Thunderclap platform

The Thunderclap platform consists of an FPGA that runs the Thunderclap application. The FPGA then plugs into a computer via PCI Express or Thunderbolt. The Thunderclap application makes the FPGA behave to the computer like a genuine Ethernet card (the Intel 82574L network interface card or NIC). The operating system will identify the ethernet peripheral, load drivers, allow the device to access memory (via DMA and an IOMMU if enabled), and ask it to send and receive packets.

With this deep interaction with the operating system, Thunderclap’s device model provides hooks that allow payload functions to be added to device behavior. For example, when the operating system asks the NIC to send a packet, it provides the NIC with the address of the data to send. A payload function might search nearby memory looking for plaintext data that was intended for a different network device.

Thunderbolt dock with FPGA implant, an implementation of our I/O-security research platform

The Thunderclap application runs on Intel/Altera FPGA boards:

  • Intel Arria 10 SoC Development Kit ($4500) with Samtec HDR-181157-01-PCIEC cable (available from Samtec direct) – currently recommended
  • Enclustra Mercury+ AA1 module (ME-AA1-270-3E4-D11E) on PE1 carrier board (~EUR 800) – work in progress
  • Terasic DE5-Net board (Stratix V) with BERI soft-CPU – no longer supported
  • As far as we can ascertain, Xilinx, Lattice and Intel Cyclone FPGAs don’t allow us to replace the vendor-supplied implementation of configuration registers with our own (Intel calls it ‘config bypass’ mode) which we require.

It is composed of several pieces:

  • The underlying FPGA bitfile, containing the hardware that receives PCIe packets (TLPs) and delivers them to software. The FPGA contains an Arm Cortex A9 CPU (hard processor system or HPS) to run our software stack. GitHub repo
  • The Ubuntu 16.04 operating system running on the on the Arm, including kernel, device tree and u-boot bootloader (which also loads the FPGA bitfile at boot time). Automated build scripts (work in progress): GitHub repo
  • The Thunderclap application, which is a substantially cut down version of QEMU, based on its e1000e device. This runs in Ubuntu on the ARM core and connects directly to the PCIe queues provided by the hardware. GitHub repo

Our Partners