Unhackable

This security flaw puts millions of computers at risk for a serious (but unlikely) hack

New York (CNN Business)A new report from a Dutch security researcher details a hacking mechanism that targets a common feature on millions of computers: the Thunderbolt port

Bjorn Ruytenberg, a researcher at Eindhoven University in the Netherlands, identified a security flaw in the Thunderbolt port that could allow a hacker to break into a computer and access all of its data in a matter of minutes, even if the computer's owner has taken security precautions.

"If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep," Ruytenberg said in the report. He dubbed the hacking technique "Thunderspy." 

"Thunderspy is stealth, meaning that you cannot find any traces of the attack," he said. The attack also does not require any engagement on the part of the computer's user, unlike other types of attacks such as phishing. 

Developed by Intel (INTC) in 2011, the Thunderbolt port enables fast data transfers. It is present on many PC and Apple laptops and — increasingly — some desktops. Although Intel recently developed a tool to address security concerns with the port, it isn't available on computers manufactured before 2019. 

Ruytenberg demonstrated the attack, which took just about five minutes, in a YouTube videopublished along with the report. 

For its part, Intel says that if users take normal security precautions and don't leave their computers somewhere a hacker could access them for even a few minutes — even if they have encrypted drives — they shouldn't be too worried about this type of hack.

While the Thunderspy attack is technically possible on many computers with a Thunderbolt port, it requires that the hacker gains physical access to the computer for several minutes — enough time to unscrew the back panel of a laptop, plug in a device to the Thunderbolt and override security features, reattach the back of the laptop and then access the computer's data. 

Most people likely do not have valuable enough data on their computers for a hacker to want to carry out such a targeted attack. Even beyond Thunderspy, security experts have long warned of risks that could come from letting a hacker gain physical access to a computer. 

A group of security researchers last year identified several vulnerabilities related to Thunderbolt ports. In response, Intel created a tool called Kernel Direct Memory Access (DMA) to mitigate such attacks, which was implemented into major operating systems from Windows, Linux and Mac in 2019, Jerry Bryant, Intel's director of communications for product assurance and security, said in a blog post Sunday.

The underlying vulnerability identified by Ruytenberg's Thunderspy technique is the same as those addressed by that mitigation tool, Byrant said in the post. The company added that Ruytenberg did not demonstrate successful attacks against machines with the DMA tool enabled.

However, Ruytenberg pointed out that systems released before 2019, as well as some newer systems without Kernel DMA protection enabled, could still be vulnerable to a Thunderspy attack. He released a free, open-source tool to help users determine whether their computers are at risk. Users can also contact their equipment manufacturers to see if Kernel DMA is enabled on newer devices.

"For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers," Intel's Bryant said. "As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt technology."

Thunderspy an undetectable hardware

Security Researcher demonstrates Thunderspy, an undetectable hardware attack which disables all Thunderbolt security

  We have heard recently that Microsoft was not a fan of Thunderbolt as they consider that it offers insecure direct access to a PC’s RAM, which could lead to all kinds of shenanigans.

Now security researcher Björn Ruytenberg has demonstrated an undetectable and rapid hardware attack which easily bypasses Intel’s Thunderbolt security features and which allows an attacker to copy memory from a locked and encrypted PC for example or easily bypass the lock screen.

He showed off a tool called Thunderspy which takes advantage of the following vuglnerabilities:

1. Inadequate firmware verification schemes
2. Weak device authentication scheme
3. Use of unauthenticated device metadata
4. Downgrade attack using backwards compatibility
5. Use of unauthenticated controller configurations
6. SPI flash interface deficiencies
7. No Thunderbolt security on Boot Camp

The tool allows attackers with physical access to your PC to permanently reprogram your Thunderbolt controller and from then on allow anyone direct memory access without any security measures, Microsoft’s nightmare scenario.

Ruytenberg demonstrates the attack in the video below:

His tool allows the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, it allows unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort, and finally, permanently disable Thunderbolt security and block all future firmware updates.

Ruytenberg notes that all Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable.

The Thunderspy vulnerabilities cannot be fixed in software, and will impact future standards such as USB 4 and Thunderbolt 4, and will ultimately require a silicon redesign.

On newer PCs (2019 onwards) Intel’s Kernel DMA Protection offers some protection, but interestingly when Apple MacOS laptops boot into Bootcamp all Thunderbolt security is disabled.

Ruytenberg is providing an open-source tool, Spycheck, that verifies whether your systems are vulnerable to Thunderspy. If it is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.

If you have an affected system, Ruytenberg suggests:

• Connect only your own Thunderbolt peripherals. Never lend them to anybody.
• Avoid leaving your system unattended while powered on, even when screenlocked.
• Avoid leaving your Thunderbolt peripherals unattended.
• Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
• Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).