A flaw in many PCs with an Intel Thunderbolt port allows attackers with brief physical access to read and copy all the device’s data, a security researcher found.
Thunderbolt offers extremely fast transfer speeds by giving devices direct access to your PC’s memory, which also creates a number of vulnerabilities. Researchers previously thought those weaknesses (dubbed Thunderclap), could be mitigated by disallowing access to untrusted devices or disabling Thunderbolt altogether but allowing DisplayPort and USB-C access.
However, Ruytenberg’s attack method could get around even those settings by changing the firmware that controls the Thunderbolt port, allowing any device to access it. What’s more, the hack leaves no trace, so the user would never know their PC was altered.
The Thunderspy vulnerability can be exploited even if a drive is encrypted or the computer is locked and set to sleep, according to Eindhoven University of Technology researcher Bjorn Ruytenberg. Thunderspy doesn’t require a user to click on a phishing link or get tricked into using a malicious piece of hardware, and doesn’t leave any traces or evidence of the attack behind, Ruytenberg said.
If you intend to use Thunderbolt connectivity, we strongly recommend to: Connect only your own Thunderbolt peripherals; never lend them to anybody; avoid leaving your system unattended while powered on, even when screenlocked; avoid leaving your Thunderbolt peripherals unattended; ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays; consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).
Ruytenberg said he’s found seven vulnerabilities in Intel’s design and developed nine realistic scenarios of how these flaws could be exploited by a malicious actor to gain access to a user’s system and bypass the defenses Intel had set up to protect users. A free tool called Spycheck was developed by Ruytenberg to determine if a system is vulnerable and provide recommendations on how to protect the system if so.
Intel said major operating systems implemented Kernel Direct Memory Access protection in 2019 to mitigate against attacks such as those described by Ruytenberg. The researchers did not demonstrate successful Direct Memory Access attacks against systems with these mitigations enabled, according to a blog post from Jerry Bryant, director of communications for Intel Product Assurance and Security.
“While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled,” Bryant said on the blog Sunday. “Please check with your system manufacturer to determine if your system has these mitigations incorporated.” This vulnerability might explain why Microsoft didn’t include Thunderbolt in its Surface laptops.
Apple computers running macOS are unaffected by the vulnerability unless you’re running Boot Camp, according to Ruytenberg.
All Thunderbolt-equipped systems shipped between 2011 and 2020 are vulnerable to Thunderspy, while some systems shipped since 2019 that provide Kernel Direct Memory Access protection are partially vulnerable, Ruytenberg said. The Thunderspy vulnerabilities can’t be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign, according to Ruytenberg.
