Attackers who gain physical access to Windows, Linux, or macOS devices can access and steal data from their hard drives by exploiting 7 vulnerabilities found in Intel’s Thunderbolt hardware interface and collectively known as Thunderspy.
Thunderbolt is a hardware interface designed by Intel and Apple in collaboration to help connect external peripherals that need high-speed connections (RAID arrays, network interface, video capture devices, and others) to a computer.
The new attack, discovered by researcher Björn Ruytenberg, is designed to break Thunderbolt’s security, making it possible for attackers to steal information from any vulnerable Thunderbolt-enabled device.
Systems shipped before 2019 are vulnerable
While Intel says that Windows, Linux, and macOS implemented Kernel Direct Memory Access (DMA) protection as mitigation for such attacks, this doesn’t mitigate all possible attack scenarios and it is only available on compatible systems shipped from 2019 and later.
“Hence, all systems released before 2019, and more recent systems that do not ship Kernel DMA Protection, will remain fully vulnerable to Thunderspy forever,” the researcher explains.
For Linux and Windows users, all systems purchased before 2019 are vulnerable to Thunderspy attacks according to Ruytenberg, while devices bought during and after 2019 might come with support for Kernel DMA Protection which protects against drive-by Direct Memory Access attacks.
Similarly, Macs from 2011 and older, except for Retina MacBooks, are all impacted by Thunderspy as they all provide users with Thunderbolt connectivity.
Below you can watch an embedded demo of a Thunderspy proof-of-concept demonstrating how to unlock a Windows PC in 5 minutes.
Breaks Thunderbolt security
“Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using,” Ruytenberg says.
“Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption.
“All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.”
In all, Ruytenberg says that he “found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection.”
So far, these 7 security issues have been found to impact the Thunderbolt 1 and 2 (over Mini DisplayPort) and Thunderbolt 3 (over USB-C):
Mitigation requires a silicon redesign
Intel confirmed that the vulnerabilities are valid but will not mitigate the Thunderspy vulnerabilities by issuing a patch to already sold and known to be vulnerable devices as they would require a silicon redesign.
Intel said that they will incorporate additional hardware protections for future systems that come with support for the Thunderbolt technology.
As Intel told the researcher after examining the reported vulnerabilities:
Until Intel will implement Thunderspy hardware protections, you can follow these recommendations to protect your data or disable the Thunderbolt controller in UEFI (BIOS).
Last year, a team of researchers disclosed another set of security vulnerabilities — dubbed Thunderclap — requiring physical access and affecting modern Thunderbolt-enabled computers that run Windows, macOS, Linux, or FreeBSD.
The Thunderclap flaws can be exploited to run arbitrary code using the highest possible privilege level on the system to access or steal “passwords, banking logins, encryption keys, private files, browsing,” as well as other sensitive data present on the vulnerable machine.