A study by Eindhoven University of Technology researcher Björn Ruytenberg lifted curtains of a new series of attacks that break all primary security claims for Thunderbolt 1, 2, and 3. Known as ‘Thunderspy’, this attack targets devices with a Thunderbolt port. According to Ruytenberg, “If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”
Ruytenberg further added that Thunderspy is stealth that does not require your involvement as there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Rather, it was revealed that Thunderspy works even if you follow best security practices by locking your computer when leaving briefly with enabled full-disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.
Asserting that all Thunderbolt-equipped systems shipped between years 2011-2020 are vulnerable, Ruytenberg said, “Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign.”
While conducting the research, Ruytenberg discovered 7 vulnerabilities in Intel’s design that could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection. That includes:
- Inadequate firmware verification schemes
- Weak device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backwards compatibility
- Use of unauthenticated controller configurations
- SPI flash interface deficiencies
- No Thunderbolt security on Boot Camp
These vulnerabilities lead to nine practical exploitation scenarios. The wired reported that Ruytenberg demonstrated the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices and finally obtain PCIe connectivity to perform DMA attacks in an evil maid threat model and varying Security Levels.
“In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort,” Ruytenberg added.
In order to help you determine if your system is vulnerable to Thunderspy, Ruytenberg has also created a free and open-source tool, Spycheck. “If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system,” the researcher added. Mind you! It was notified that Spycheck supports Windows 7, 8.x and all builds of 10, as well as Linux kernel 3.16 and Python 3.4 and later.
Ruytenberg, in the research, stated that he disclosed vulnerabilities 1-5 to Intel on February 10. On March 10, Intel replied that its “engineering team confirmed the vulnerabilities, and that vulnerabilities 3-5 were new to them. After further research, we disclosed vulnerability 6, which Intel confirmed on March 17.”
However, the Wired reported that when it reached out to Intel, the company responded with a blog post stating that “While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device. In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later) and MacOS (MacOS 10.12.4 and later). For all systems, we recommend following standard security practices including the use of only trusted peripherals and preventing unauthorized physical access to computers.”