Björn Ruytenberg, a researcher of Eindhoven University of Technology, published a research about a new vulnerability in Thunderbolt ports.



The new attack, named "Thunderspy" [1], is designed to break Thunderbolt's security, making it possible for attackers to steal information from any vulnerable Thunderbolt-enabled device:

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

We have found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection.

We have developed a free and open-source tool, Spycheck, to determine if your system is vulnerable. If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system.

Below, a briefvideo PoC:

https://www.youtube.com/watch?v=oEfzp4lHpB0


Which systems are vulnerable?

Being PCIe-based, Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O. In an evil maid DMA attack, where adversaries obtain brief physical access to the victim system, Thunderbolt has been shown to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory. In response, Intel introduced Security Levels, a security architecture designed to enable users to authorize trusted Thunderbolt devices only. To further strengthen device authentication, the system is said to provide “cryptographic authentication of connections” to prevent devices from spoofing user-authorized devices.

So, for Linux and Windows users, all systems purchased before 2019 are vulnerable, while devices bought during and after 2019 might come with support for Kernel DMA Protection which protects against drive-by Direct Memory Access attacks.

Similarly, Macs from 2011 and older, except for Retina MacBooks, are all impacted by Thunderspy as they all provide users with Thunderbolt connectivity.


Is there a patch?

Intel confirmed [2] that the vulnerabilities are valid but will not mitigate the Thunderspy vulnerabilities by issuing a patch to already sold and known to be vulnerable devices as they would require an hardware redesign, and said that they will incorporate additional hardware protections for future systems that come with support for the Thunderbolt technology.

So, you can disable the Thunderbolt controller in UEFI/BIOS or follow these recommendations to protect your data

If you intend to use Thunderbolt connectivity, we strongly recommend to:

- Connect only your own Thunderbolt peripherals. Never lend them to anybody.
- Avoid leaving your system unattended while powered on, even when screenlocked.
- Avoid leaving your Thunderbolt peripherals unattended.
- Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
- Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).


References

  1. Thunderspy - When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security
  2. More Information on Thunderbolt(TM) Security - Technology@Intel