Now security researcher Björn Ruytenberg has demonstrated an undetectable and rapid hardware attack which easily bypasses Intel’s Thunderbolt security features and which allows an attacker to copy a memory from a locked and encrypted PC or easily bypass the lock screen.
He demonstrated a tool called Thunderspy which takes advantage of the following vulnerabilities:
- Inadequate firmware verification schemes
- A weak device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backwards compatibility
- Use of unauthenticated controller configurations
- SPI flash interface deficiencies
- No Thunderbolt security on Boot Camp
"These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort."
We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates- he added.Ruytenberg notes that all Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable.
The Thunderspy vulnerabilities cannot be fixed in software and will impact future standards such as USB 4 and Thunderbolt 4, and will ultimately require a silicon redesign.
On newer PCs (2019 onwards) Intel’s Kernel DMA Protection offers some protection, but interestingly when Apple MacOS laptops boot into Bootcamp all Thunderbolt security is disabled.Ruytenberg has developed a free and open-source tool, Spycheck, to determine if your the system is vulnerable. If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system. Spycheck is available for both Windows and Linux systems and you can also get the source on GitHub.
Furthermore, if you are having the vulnerable system, Ruytenberg guides the following actions to be taken -
- Connect only your own Thunderbolt peripherals. Never lend them to anybody.
- Avoid leaving your system unattended while powered on, even when screenlocked.
- Avoid leaving your Thunderbolt peripherals unattended.
- Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
- Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).