A threat actor with just five minutes of direct access to a computer’s Thunderbolt port can steal encrypted data and clean out the device’s system memory due to seven specific security lapses in the Intel-developed port.
The vulnerabilities, named Thunderspy, were brought to light by Björn Ruytenberg, a graduate student at the Eindhoven University of Technology in the Netherlands, who reported a threat actor would need direct access to the device to implement the hack, but it would only take about five minutes to accomplish the task.
Thunderspy is particularly dangerous as it is capable of bypassing most of a Thunderbolt port’s security measures and by the fact an attack leaves no trace behind. All three versions of Thunderbolt are affected by the Thunderspy vulnerabilities with only systems shipping Kernel DMA Protection mitigate some, but not all, of the vulnerabilities. However, 0nly systems that began shipping since 2019 come with Kernel DMA Protection.
“It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption,” he wrote.
Ruytenberg has developed an online tool one can use to determine if a system is vulnerable.
To complete the hack an attacker does need a brief period with the computer, a screwdriver and some additional portable equipment.
Once installed Thunderspy enables creating arbitrary Thunderbolt device identities and cloning user-authorized Thunderbolt devices and permanently disables the port’s security and firmware updates. The port is particularly dangerous point of entry as it possesses Direct Memory Access (DMA)-enabled I/O. While Intel does have a security architecture designed to protect the port, Ruytenberg found seven issues:
- inadequate firmware verification schemes
- Weak device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backwards compatibility
- Use of unauthenticated controller configurations
- SPI flash interface deficiencies
- No Thunderbolt security on Boot Camp
The issues lead to nine different methods of exploitation that in turn would allows an attacker to “create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, obtain PCIe connectivity to perform DMA attacks, allow for unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. The final flaw is the ability to permanently disable Thunderbolt security and block all future firmware updates.”
Because exploitation requires direct contact with the target the best security method is to maintain a high level of protection over any vulnerable device or if the port is not being used to disable it.
Intel was informed of the vulnerabilities on February 10, Ruytenberg said, and one month later confirmed the problems stating numbers three, four and five were previously unknown.
At this time, it is not known if the recently announced Thunderbolt 4 port is affected by Thunderspy.