Home ConsumerClient Accessories Heads Up! Thunderbolt Flaws Revealed: Thunderspy

Heads Up! Thunderbolt Flaws Revealed: Thunderspy

by Juan Mulford
Thunderbolt flaws thunderspy

Back in February, a series of Thunderbolt securities flaws were discovered and reported by Björn Ruytenberg, an MSc student in Computer Science and Engineering who specializes in Information Security. Ruytenberg, published a Thunderbolt vulnerability report and has named this hacking technique as Thunderspy. Thunderspy is a collection of vulnerabilities that breaks all primary Thunderbolt security claims. Essentially, Thunderbolt allows spying on systems, in most cases, without the users noticing.

Back in February, a series of Thunderbolt securities flaws were discovered and reported by Björn Ruytenberg, an MSc student in Computer Science and Engineering who specializes in Information Security. Ruytenberg, published a Thunderbolt vulnerability report and has named this hacking technique as Thunderspy. Thunderspy is a collection of vulnerabilities that breaks all primary Thunderbolt security claims. Essentially, Thunderbolt allows spying on systems, in most cases, without the users noticing.

According to the research, Thunderbolt’s vulnerabilities could allow a hacker to break into a computer and access its data in a matter of minutes. Thunderspy targets devices with a Thunderbolt port and affects any PC manufactured before 2019 (millions of PCs). If computers have such a port, an attacker who gets brief physical access to it can read and copy all computer’s data, even if the drive is encrypted and the computer is locked or set to sleep, said the researcher.

Thunderbolt flaws thunderspy

Thunderbolt is a proprietary I/O protocol developed by Intel (in collaboration with Apple) that allows the connection of external peripherals to a computer, and that enables fast data transfers. The protocol is included in several laptops, desktops, and other systems.

Ruytenberg explains that as Thunderbolt is an external interconnect, it allows exposing the system’s internal PCI Express (PCIe) domain to external devices. “This enables high-bandwidth, low-latency use cases, such as external graphics cards. Being PCIe-based, Thunderbolt devices possess Direct Memory Access-enabled I/O, allowing complete access to the state of a PC and the ability to read and write all of system memory”. That capability has prompted research into attacks collectively known as “evil maid.” An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device or the data on it.

“Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement.” Ruytenberg said. “Thunderspy works even if you follow the best security practices by locking or suspending your computer when leaving briefly. And if your system administrator has set up the device with Secure Boot, strong BIOS, and operating system account passwords, and enabled full disk encryption.” This vulnerability means that an attacker only needs a couple of minutes alone with the computer to gain access and compromise the data.

In the study, researchers have found and experimentally confirmed multiple vulnerabilities related to Thunderbolt protocol security. The researchers disclosed the following vulnerabilities:

  1. Inadequate firmware verification schemes.
  2. Weak device authentication scheme.
  3. Use of unauthenticated device metadata.
  4. Backward compatibility.
  5. Use of unauthenticated controller configurations.
  6. SPI flash interface deficiencies.
  7. No Thunderbolt security on Boot Camp.

In a video uploaded to YouTube (Thunderspy PoC demo 1: Unlocking Windows PC in 5 minutes,) researches demonstrate an attack exploiting Thunderspy vulnerability variant 5: Use of unauthenticated controller configurations.

https://www.youtube.com/watch?v=7uvSZA1F9os&feature=emb_logo

Intel has confirmed the following vulnerabilities:

  • All three versions of Thunderbolt are affected by Thunderspy vulnerabilities.
  • Only systems shipping Kernel DMA Protection mitigate some, not all, of the Thunderspy vulnerabilities.
  • Only systems that began shipping since 2019 come with Kernel DMA Protection.
  • Beyond Kernel DMA Protection, Intel will not provide any mitigations to address the Thunderspy vulnerabilities. Hence, Intel will not assign any CVEs to the Thunderspy vulnerabilities, or release any public security advisories to inform the general public.

The researchers stated that despite their repeated efforts, the rationale to Intel’s decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown. “Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections.”

The problem with this is that Kernel DMA Protection is only available on a limited number of modern systems. This problem is even worst for all systems released before 2019 and modern systems that do not ship Kernel DMA Protection. Those will remain fully vulnerable to Thunderspy forever.

Vulnerable systems

So, all Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. And some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software; therefore, they will impact future standards such as USB 4 and Thunderbolt 4. They require a silicon redesign.

Not all systems are affected, for example, systems exclusively providing USB-C ports. These ports are identified by a USB symbol, rather than a lightning symbol. Hence, users should refer to affected systems to verify whether their system provides Thunderbolt or USB-C ports. For the list of vulnerable devices and systems and Ruytenberg’s recommendations, check the official Thunderspy website.

As a workaround, users are strongly encouraged to determine whether they are affected using Spycheck, a free and open-source tool developed by this initiative that verifies whether systems are vulnerable to Thunderspy. If a system is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.

Reference:

https://thunderspy.io/

https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pd

Discuss on Reddit

Engage with StorageReview

Newsletter | YouTube | Podcast iTunes/Spotify | Instagram | Twitter | Facebook | RSS Feed