In brief: If your laptop somehow makes its way into hackers’ hands, will the login screen and hard disk encryption keep its contents safe? You might imagine so, but if it’s got a Thunderbolt port, you could be in trouble.
Boasting 40Gbps transfer speeds, as well as the ability to power devices and connect to 4K peripherals, Intel’s Thunderbolt interface works by offering more direct access to a computer’s memory compared to other ports.
One drawback with Thunderbolt 3 is its security issues; Microsoft says you won’t find the port on Surface devices because it’s insecure.
Surfaces don't have Thunderbolt because its insecure 🙃 pic.twitter.com/lb7YYOOQ4Y— WalkingCat (@h0x0d) April 25, 2020
It was last year revealed that a series of security flaws named Thunderclap allowed a hacker with a malicious USB drive to exploit Thunderbolt's direct memory access, bypassing all of a computer’s security measures.
It’s possible to protect against Thunderclap by disallowing access to untrusted devices or turning off Thunderbolt altogether, but a new attack can circumvent even those measures.
As reported by Wired, Eindhoven University of Technology researcher Björn Ruytenberg has revealed a new attack he’s named Thunderspy, which can bypass the login screen of sleeping or locked Thunderbolt-enabled computers. It works on both Windows and Linux PCs manufactured before 2019 and can even bypass hard disk encryption.
The technique, which takes less than five minutes, relies on an attacker having alone time with a device, which is known as an “evil maid attack.”
"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg
To prevent the previous Thunderclap attack, Intel created Kernel Direct Memory Access Protection, which also prevents Thunderspy. But there’s no Kernal DMA Protection on computers manufactured before 2019, and its implementation is spotty on devices made from 2019 or later. Only a few HP and Lenovo models from 2019 or later use it, and researchers couldn’t find Kernel DMA Protection on any Dell machines (Update: Dell says its Client, Consumer, and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled). It should be noted that Apple’s MacOS computers are unaffected.
You can see the attack, which involves opening up a laptop, performed in the video above. The SPI programmer device rewrites the Thunderbolt controller’s firmware, turning off its security settings.
"I analyzed the firmware and found that it contains the security state of the controller," Ruytenberg says. "And so I developed methods to change that security state to 'none.' So basically disabling all security."
The method uses around $400 worth of equipment, but also requires an SPI programmer device and a $200 peripheral for carrying out the direct memory attack. Ruytenberg believes the entire setup could be built into a single device for around $10,000. "Three-letter agencies would have no problem miniaturizing this," he said.
After being informed of the attack, Intel noted that that Kernel DMA Protections prevent against it. The company also recommended “the use of only trusted peripherals and preventing unauthorized physical access to computers.”
The best preventative measure, of course, is to ensure hackers don't end up with physical access to your computer.
You can check if your machine is vulnerable to Thunderspy using this free tool created by Ruytenberg.