New Thunderbolt flaw lets hackers bypass security features in five minutes

midian182

Posts: 5,880   +48
Staff member

Boasting 40Gbps transfer speeds, as well as the ability to power devices and connect to 4K peripherals, Intel’s Thunderbolt interface works by offering more direct access to a computer’s memory compared to other ports.

One drawback with Thunderbolt 3 is its security issues; Microsoft says you won’t find the port on Surface devices because it’s insecure.

It was last year revealed that a series of security flaws named Thunderclap allowed a hacker with a malicious USB drive to exploit Thunderbolt's direct memory access, bypassing all of a computer’s security measures.

It’s possible to protect against Thunderclap by disallowing access to untrusted devices or turning off Thunderbolt altogether, but a new attack can circumvent even those measures.

As reported by Wired, Eindhoven University of Technology researcher Björn Ruytenberg has revealed a new attack he’s named Thunderspy, which can bypass the login screen of sleeping or locked Thunderbolt-enabled computers. It works on both Windows and Linux PCs manufactured before 2019 and can even bypass hard disk encryption.

The technique, which takes less than five minutes, relies on an attacker having alone time with a device, which is known as an “evil maid attack.”

"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg

To prevent the previous Thunderclap attack, Intel created Kernel Direct Memory Access Protection, which also prevents Thunderspy. But there’s no Kernal DMA Protection on computers manufactured before 2019, and its implementation is spotty on devices made from 2019 or later. Only a few HP and Lenovo models from 2019 or later use it, and researchers couldn’t find Kernel DMA Protection on any Dell machines (Update: Dell says its Client, Consumer, and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled). It should be noted that Apple’s MacOS computers are unaffected.

You can see the attack, which involves opening up a laptop, performed in the video above. The SPI programmer device rewrites the Thunderbolt controller’s firmware, turning off its security settings.

"I analyzed the firmware and found that it contains the security state of the controller," Ruytenberg says. "And so I developed methods to change that security state to 'none.' So basically disabling all security."

The method uses around $400 worth of equipment, but also requires an SPI programmer device and a $200 peripheral for carrying out the direct memory attack. Ruytenberg believes the entire setup could be built into a single device for around $10,000. "Three-letter agencies would have no problem miniaturizing this," he said.

After being informed of the attack, Intel noted that that Kernel DMA Protections prevent against it. The company also recommended “the use of only trusted peripherals and preventing unauthorized physical access to computers.”

The best preventative measure, of course, is to ensure hackers don't end up with physical access to your computer.

You can check if your machine is vulnerable to Thunderspy using this free tool created by Ruytenberg.

Permalink to story.

 
"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware..."

I stopped reading there. Reprogram the firmware? Meh, piece of cake. When I become a spy or have some super secrets then I'll worry about it...
 
  • Like
Reactions: cliffordcooley

Irata

Posts: 654   +860
TechSpot Elite
"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware..."

I stopped reading there. Reprogram the firmware? Meh, piece of cake. When I become a spy or have some super secrets then I'll worry about it...
Hmm...company laptops left in your hotel room, a meeting room during your break, checked "for explosives" at airports....

Of course, you could keep it with you at all times, but that just increases the risk of theft or loss.
 

Buhaj47

Posts: 85   +119
I'd say if someone with hostile intentions has physical access to my computer, a Thunderbolt flaw isn't the greatest security risk.
 

yeeeeman

Posts: 312   +261
I guess hitting a laptop with a hammer and destroying the data also fits the description as a vulnerability...
This guy that discovered it just wants press for its MSc diploma. Guess he's not going to get a job at Intel anytime soon.
 
  • Like
Reactions: PEnnn

jobeard

Posts: 13,898   +1,763
"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg
SHEEZ; what a joke ... without physical security how the heck can you expect logical/software security.
 

Dustyn

Posts: 113   +45
Oh gosh this is serious! I better do something! Wait.... any computer prior to 2019?
What if I don't have Thunderbolt?
 

brucek

Posts: 429   +491
Is there any laptop that could withstand an attacker who had physical possession, was willing and able to modify the firmware of the devices on it, and willing to spend hundreds to thousands of dollars on specialized equipment to do it?

I feel this is a little like saying my car has a safety problem because it might explode if shot by the main turret of a tank.