A security researcher at the Eindhoven University of Technology, Bjorn Ruytenberg, have discovered that Thunderbolt-equipped computers contain vulnerabilities that could leave millions of computers exposed to “Thunderspy” attacks. Ruytenberg revealed that he found seven vulnerabilities in Intel’s Thunderbolt port design and created nine attack vectors.
In a blogpost, Ruytenberg stated that Thunderspy flaws affect Windows and Linux devices that are manufactured before 2019. Attackers, who have the right hardware tools and a few minutes with the machine can bypass defenses, access, and copy the data on targeted computers. “All the attacker needs is five minutes alone with the computer, a screwdriver, and some easily portable hardware,” Ruytenberg said.
- Inadequate firmware verification schemes
- Week device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backward compatibility
- Use of unauthenticated controller configurations
- SPI Flash interface deficiency
- No Thunderbolt security on Boot camp
How Is the Attack Performed?
To carry out a Thunderspy attack on a vulnerable computer, an attacker is just required to unscrew the backplate, attach a device momentarily, reprogram the firmware (to control the Thunderbolt port), and reattach the backplate. Now the reprogrammed firmware allows the hacker to change Thunderbolt port settings and open the way for any malicious device to access it. Ruytenberg stated that this method works even when the device is locked with a password, its hard disk data is encrypted, and the Thunderbolt port access is disabled.
In a proof of concept video, Ruytenberg demonstrated that he was able to unscrew the bottom panel of a Thunderbolt-equipped ThinkPad to access its Thunderbolt controller.
“Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption,” Ruytenberg said.
The researcher reported the issue to Intel authorities with a report on Thunderbolt, discussing issues related to invasive physical attacks on Thunderbolt hosts and devices. Intel clarified that it has created a Thunderbolt security system known as Kernel Direct Memory Access Protection to prevent Thunderspy attacks. “While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled,” Intel said in a post.