Thunderbolt flaw exposes millions of PCs to attack

Hackers can bypass lock screens and hard drive encryption to copy data from targeted devices

Thunderbolt ports can be exploited by anyone who gains physical access to any PC built before 2019, with attackers able to read and copy all data on the device.

Attackers can bypass the login screens of locked computers, as well as hard drive encryption on Windows and Linux PCs with Thunderbolt ports to gain access to data stored on the device. Some Mac devices are also affected.

Should hackers be within physical proximity of a device, they can unscrew the backplate, attach a device, reprogramme the firmware and gain full access to the laptop, according to security researcher Björn Ruytenberg.

These ‘Thunderspy’ attacks, Ruytenberg continued, rely on seven vulnerabilities found so far, ranging from weak device authentication schemes, to use of unauthenticated device metadata, to no Thunderbolt security on Boot Camp. 

“Despite our repeated efforts, the rationale to Intel's decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown,” Ruytenberg said. 

“Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections.”

All systems equipped with USB-C ports with Thunderbolt technology shipped between 2011 and 2020 are vulnerable. All Apple Macs released from 2011, apart from Retina MacBooks, offer Thunderbolt connectivity and are also therefore vulnerable. 

Some systems manufactured in 2019 with Kernel direct memory access (DMA) Protection, however, are safeguarded against Thunderspy attacks, but only partially. Kernel DMA Protection doesn’t mitigate against all vulnerabilities, the researcher added.

As a result, effectively, all devices released before 2019 remain fully vulnerable to Thunderspy forever, including those manufactured last year without Kernel DMA Protection.

“We constantly monitor the security landscape and value work that help us identify new potential threats,” an HP spokesperson told IT Pro

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

“Our existing security bulletin provides home PC mitigations for open case DMA pre-boot type attacks. It’s important to remember that such attacks require physical access to the device. The security of our customers is always a top priority and we always encourage people to keep their systems up to date.”

"Dell is aware of the Thunderbolt security research described by researchers as “Thunderspy.”," a spokesperson told IT Pro. "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled."

"Since this attack requires physical access, we recommend customers follow security best practices and prevent unauthorized physical access to devices."

Cyber security specialist with ESET, Jake Moore, said Thunderspy is an impressive attack, adding it’s difficult to defend against as there's very little that could mitigate it.

“There is still some simple advice that can be effective: you should never leave your computer unattended for any given time,” he said. “Luckily, given the current social distancing in place, it would seem only your household could be the hacker culprits.

“Being able to alter the firmware of the internal chip and changing the security settings to allow access to any device is impressive, and although Thunderbolt port attacks are nothing new, they can be extremely damaging and infuriatingly difficult to patch. 

“Therefore, in the meantime, I would advise that users avoid connecting unknown or untrusted devices to PC ports, and that the Thunderbolt port isn’t used by those who still work around people or who may be particularly vulnerable to an attack.”

Intel has confirmed it was approached in February with reports of 'Thunderspy' attack, and that researchers were not able to demonstrate successful exploitation with Kernel DMA Protection mitigation enabled.

"For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers," Intel's Director of Communications Jerry Bryant said.

"As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt technology, and we thank the researchers from Eindhoven University for reporting this to us."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Alibaba unveils custom Arm-based server chip
components

Alibaba unveils custom Arm-based server chip

19 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021