A security researcher has found a vulnerability in Thunderbolt-equipped Windows and Linux PCs, which puts computers manufactured before 2019 at risk, including modern Macs.
For those unaware, Thunderbolt is a hardware interface developed by Intel (in collaboration with Apple) that allows users to combine data transfer, charging, and video peripherals into a single computer.
Bjorn Ruytenberg, a security researcher who is currently a student at the Eindhoven University of Technology, said that the vulnerability dubbed ‘Thunderspy’ specifically targets Thunderbolt technology, which allows hackers with physical access to the device to retrieve data within five minutes with the computer, a screwdriver, and some easily portable hardware. Further, it can also allow an attacker to access all data stored in a computer, even if the device was locked or set to sleep, password-protected, and had an encrypted hard drive.
“Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using,” said Ruytenberg in a Sunday disclosure post.
“Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption.”
Ruytenberg found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to victims’ systems by bypassing the defenses that Intel had set up for victims’ protection.
Until now, Ruytenberg has found the following vulnerabilities that break all primary security claims for Thunderbolt 1, 2, and 3:
- Inadequate firmware verification schemes
- Weak device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backwards compatibility
- Use of unauthenticated controller configurations
- SPI flash interface deficiencies
- No Thunderbolt security on Boot Camp
In a video proof of concept, Ruytenberg shows how quickly and simply the attack could be exploited in five minutes:
According to Ruytenberg, to carry out a Thunderspy attack on a vulnerable PC, a hacker just “needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware [controlling the Thunderbolt port], reattach the backplate.”
The reprogrammed firmware allows the hacker to change Thunderbolt port settings, which lets any malicious peripheral device to access it.
Ruytenberg used only about $400 dollars-worth of equipment consisting of a screwdriver, a Serial Peripheral Interface (SPI) programmer device, and a $200 Thunderbolt peripheral to carry out the direct memory attack. It gave full access to the laptop allowing Ruytenberg to complete the entire attack in about five minutes, sans password.
All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. However, some systems that provide Kernel DMA Protection, shipping since 2019, are partially vulnerable.
If you wish to find out whether your PC is at risk or not, you can do so by using the free and open-source tool, called Spycheck designed by Ruytenberg himself. Please note that the vulnerabilities cannot be fixed with a software update. Hence, it is best advised to not leave your computer unattended and also permanently disable Thunderbolt security entirely and block all future firmware updates.
Intel, Apple, and 11 OEMs/ODMs and the Linux kernel security team have been notified about the issues.
Responding to the vulnerability, Jerry Bryant, Director of Security Communication in the Intel Platform Assurance and Security group, said in a blog post:
In February 2020, researchers from Eindhoven University of Technology reached out to Intel with a report on Thunderbolt™, which they refer to as “Thunderspy”.
In the report, they discussed issues related to invasive physical attacks on Thunderbolt™ hosts and devices. While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled.
In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.
For additional resources, refer to the Microsoft article on Thunderbolt™ Security in Windows 10 and the corresponding article from Intel in 2019.
As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt™ technology, and we thank the researchers from Eindhoven University for reporting this to us.
