A flaw in many PCs with an Intel Thunderbolt port allows attackers with brief physical access to read and copy all the device’s data, a security researcher found.
The Thunderspy vulnerability can be exploited even if a drive is encrypted or the computer is locked and set to sleep, according to Eindhoven University of Technology researcher Bjorn Ruytenberg. Thunderspy doesn’t require a user to click on a phishing link or get tricked into using a malicious piece of hardware, and doesn’t leave any traces or evidence of the attack behind, Ruytenberg said.
“Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly,” Ruytenberg wrote on a website dedicated to the vulnerability. “All the attacker needs is five minutes alone with the computer, a screwdriver, and some easily portable hardware.”
Ruytenberg said he’s found seven vulnerabilities in Intel’s design and developed nine realistic scenarios of how these flaws could be exploited by a malicious actor to gain access to a user’s system and bypass the defenses Intel had set up to protect users. A free tool called Spycheck was developed by Ruytenberg to determine if a system is vulnerable and provide recommendations on how to protect the system if so.
Intel said major operating systems implemented Kernel Direct Memory Access protection in 2019 to mitigate against attacks such as those described by Ruytenberg. The researchers did not demonstrate successful Direct Memory Access attacks against systems with these mitigations enabled, according to a blog post from Jerry Bryant, director of communications for Intel Product Assurance and Security.
“While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled,” Bryant said on the blog Sunday. “Please check with your system manufacturer to determine if your system has these mitigations incorporated.”
In a Direct Memory Access attack where adversaries obtain brief physical access to the victim system, Thunderbolt has been shown to be a viable entry point in stealing data from encrypted drives as well as reading and writing all of system memory, according to Ruytenberg.
Ruytenberg said his team has demonstrated the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and obtain the connectivity needed to perform Direct Memory Access attacks.
Thunderspy can also override Intel’s Security Level configurations without authentication, which means that Thunderbolt security can be disabled entirely or Thunderbolt connectivity can be restored to have the system exclusively pass through USB and/or DisplayPort, he said. Finally, Thunderspy demonstrates the ability to permanently disable Thunderbolt security and block all future firmware updates.
“Thunderspy is a collection of vulnerabilities that breaks all primary Thunderbolt security claims,” Ruytenberg wrote. “Essentially, it thereby allows to spy on the victim’s system, in most cases without the victim noticing.”
Ruytenberg said his team’s research has found the following seven vulnerabilities in Thunderbolt: inadequate firmware verification schemes; weak device authentication schemes; use of unauthenticated device metadata; downgrade attack using backwards compatibility; use of unauthenticated controller configurations; SPI flash interface deficiencies; and a lack of Thunderbolt security on Boot Camp.
All Thunderbolt-equipped systems shipped between 2011 and 2020 are vulnerable to Thunderspy, while some systems shipped since 2019 that provide Kernel Direct Memory Access protection are partially vulnerable, Ruytenberg said. The Thunderspy vulnerabilities can’t be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign, according to Ruytenberg.