HomeNews‘Thunderspy’ targets Thunderbolt-enabled PCs manufactured before 2019: Research

‘Thunderspy’ targets Thunderbolt-enabled PCs manufactured before 2019: Research

Ruytenberg has also created a free and open-source tool, Spycheck, to help you determine if your system is vulnerable to Thunderspy.

- Advertisement -

A study by Eindhoven University of Technology researcher Björn Ruytenberg lifted curtains of a new series of attacks that break all primary security claims for Thunderbolt 1, 2, and 3. Known as ‘Thunderspy’, this attack targets devices with a Thunderbolt port. According to Ruytenberg, “If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”

Ruytenberg further added that Thunderspy is stealth that does not require your involvement as there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Rather, it was revealed that Thunderspy works even if you follow best security practices by locking your computer when leaving briefly with enabled full-disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

- Advertisement -

Asserting that all Thunderbolt-equipped systems shipped between years 2011-2020 are vulnerable, Ruytenberg said, “Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign.”

While conducting the research, Ruytenberg discovered 7 vulnerabilities in Intel’s design that could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection. That includes:

- Advertisement -
  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backwards compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp

These vulnerabilities lead to nine practical exploitation scenarios. The wired reported that Ruytenberg demonstrated the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices and finally obtain PCIe connectivity to perform DMA attacks in an evil maid threat model and varying Security Levels.

“In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort,” Ruytenberg added.

- Advertisement -

In order to help you determine if your system is vulnerable to Thunderspy, Ruytenberg has also created a free and open-source tool, Spycheck. “If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system,” the researcher added. Mind you! It was notified that Spycheck supports Windows 7, 8.x and all builds of 10, as well as Linux kernel 3.16 and Python 3.4 and later.

Ruytenberg, in the research, stated that he disclosed vulnerabilities 1-5 to Intel on February 10. On March 10, Intel replied that its “engineering team confirmed the vulnerabilities, and that vulnerabilities 3-5 were new to them. After further research, we disclosed vulnerability 6, which Intel confirmed on March 17.”

However, the Wired reported that when it reached out to Intel, the company responded with a blog post stating that “While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device. In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later) and MacOS (MacOS 10.12.4 and later). For all systems, we recommend following standard security practices including the use of only trusted peripherals and preventing unauthorized physical access to computers.”

- Advertisement -

Support Us

We are a humble media site trying to survive! As you know we are not placing any article, even the feature stories behind any paywall or subscription model. Help us stay afloat, support with whatever you can!

Support us
- Advertisement -
- Advertisment -
- Advertisement -


Please enter your comment!
Please enter your name here

- Advertisement -
- Advertisement -

Follow Us

- Advertisement -

Must Read

Boult Crown R Pro Review: A perfect blend of style and sportiness

Boult Crown R Pro Review: A perfect blend of style and...

Typically known for its audio products, Boult has enjoyed a good run in the smart wearables segment for some time now. The tech outfit...
- Advertisement -

You cannot copy content of this page