Back in February, a series of Thunderbolt securities flaws were discovered and reported by Björn Ruytenberg, an MSc student in Computer Science and Engineering who specializes in Information Security. Ruytenberg, published a Thunderbolt vulnerability report and has named this hacking technique as Thunderspy. Thunderspy is a collection of vulnerabilities that breaks all primary Thunderbolt security claims. Essentially, Thunderbolt allows spying on systems, in most cases, without the users noticing.
Back in February, a series of Thunderbolt securities flaws were discovered and reported by Björn Ruytenberg, an MSc student in Computer Science and Engineering who specializes in Information Security. Ruytenberg, published a Thunderbolt vulnerability report and has named this hacking technique as Thunderspy. Thunderspy is a collection of vulnerabilities that breaks all primary Thunderbolt security claims. Essentially, Thunderbolt allows spying on systems, in most cases, without the users noticing.
According to the research, Thunderbolt’s vulnerabilities could allow a hacker to break into a computer and access its data in a matter of minutes. Thunderspy targets devices with a Thunderbolt port and affects any PC manufactured before 2019 (millions of PCs). If computers have such a port, an attacker who gets brief physical access to it can read and copy all computer’s data, even if the drive is encrypted and the computer is locked or set to sleep, said the researcher.
Thunderbolt is a proprietary I/O protocol developed by Intel (in collaboration with Apple) that allows the connection of external peripherals to a computer, and that enables fast data transfers. The protocol is included in several laptops, desktops, and other systems.
Ruytenberg explains that as Thunderbolt is an external interconnect, it allows exposing the system’s internal PCI Express (PCIe) domain to external devices. “This enables high-bandwidth, low-latency use cases, such as external graphics cards. Being PCIe-based, Thunderbolt devices possess Direct Memory Access-enabled I/O, allowing complete access to the state of a PC and the ability to read and write all of system memory”. That capability has prompted research into attacks collectively known as “evil maid.” An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device or the data on it.
“Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement.” Ruytenberg said. “Thunderspy works even if you follow the best security practices by locking or suspending your computer when leaving briefly. And if your system administrator has set up the device with Secure Boot, strong BIOS, and operating system account passwords, and enabled full disk encryption.” This vulnerability means that an attacker only needs a couple of minutes alone with the computer to gain access and compromise the data.
In the study, researchers have found and experimentally confirmed multiple vulnerabilities related to Thunderbolt protocol security. The researchers disclosed the following vulnerabilities:
In a video uploaded to YouTube (Thunderspy PoC demo 1: Unlocking Windows PC in 5 minutes,) researches demonstrate an attack exploiting Thunderspy vulnerability variant 5: Use of unauthenticated controller configurations.
https://www.youtube.com/watch?v=7uvSZA1F9os&feature=emb_logo
Intel has confirmed the following vulnerabilities:
The researchers stated that despite their repeated efforts, the rationale to Intel’s decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown. “Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections.”
The problem with this is that Kernel DMA Protection is only available on a limited number of modern systems. This problem is even worst for all systems released before 2019 and modern systems that do not ship Kernel DMA Protection. Those will remain fully vulnerable to Thunderspy forever.
So, all Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. And some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software; therefore, they will impact future standards such as USB 4 and Thunderbolt 4. They require a silicon redesign.
Not all systems are affected, for example, systems exclusively providing USB-C ports. These ports are identified by a USB symbol, rather than a lightning symbol. Hence, users should refer to affected systems to verify whether their system provides Thunderbolt or USB-C ports. For the list of vulnerable devices and systems and Ruytenberg’s recommendations, check the official Thunderspy website.
As a workaround, users are strongly encouraged to determine whether they are affected using Spycheck, a free and open-source tool developed by this initiative that verifies whether systems are vulnerable to Thunderspy. If a system is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.
Reference:
https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pd
Engage with StorageReview
Newsletter | YouTube | Podcast iTunes/Spotify | Instagram | Twitter | Facebook | RSS Feed
iXsystems has launched the TrueNAS Enterprise H-Series platforms, designed to give organizations ultimate performance. The H10 model is now available,…
Hannover Messe 2024 represents a significant event in the global industrial sector, serving as the world's largest industrial trade fair.…
The IBM Storage Assurance program offers access to the latest FlashSystem hardware and software, supporting investment protection from day one.…
Proxmox Backup Server 3.2 has been released - open-source solution designed for backup of VMs, containers, and physical hosts. (more…)
IBM has unveiled the FlashSystem 5300, setting a new standard for entry-level all-flash storage systems by providing impressive performance, high…
Proxmox Server Solutions has released the latest update to their server virtualization management platform, Proxmox VE 8.2. (more…)