Thunderbolt flaw exposes millions of PCs to attack

Hackers can bypass lock screens and hard drive encryption to copy data from targeted devices

Thunderbolt ports can be exploited by anyone who gains physical access to any PC built before 2019, with attackers able to read and copy all data on the device.

Attackers can bypass the login screens of locked computers, as well as hard drive encryption on Windows and Linux PCs with Thunderbolt ports to gain access to data stored on the device. Some Mac devices are also affected.

Advertisement - Article continues below

Should hackers be within physical proximity of a device, they can unscrew the backplate, attach a device, reprogramme the firmware and gain full access to the laptop, according to security researcher Björn Ruytenberg.

These ‘Thunderspy’ attacks, Ruytenberg continued, rely on seven vulnerabilities found so far, ranging from weak device authentication schemes, to use of unauthenticated device metadata, to no Thunderbolt security on Boot Camp. 

“Despite our repeated efforts, the rationale to Intel's decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown,” Ruytenberg said. 

“Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections.”

All systems equipped with USB-C ports with Thunderbolt technology shipped between 2011 and 2020 are vulnerable. All Apple Macs released from 2011, apart from Retina MacBooks, offer Thunderbolt connectivity and are also therefore vulnerable. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Some systems manufactured in 2019 with Kernel direct memory access (DMA) Protection, however, are safeguarded against Thunderspy attacks, but only partially. Kernel DMA Protection doesn’t mitigate against all vulnerabilities, the researcher added.

As a result, effectively, all devices released before 2019 remain fully vulnerable to Thunderspy forever, including those manufactured last year without Kernel DMA Protection.

“We constantly monitor the security landscape and value work that help us identify new potential threats,” an HP spokesperson told IT Pro

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

“Our existing security bulletin provides home PC mitigations for open case DMA pre-boot type attacks. It’s important to remember that such attacks require physical access to the device. The security of our customers is always a top priority and we always encourage people to keep their systems up to date.”

"Dell is aware of the Thunderbolt security research described by researchers as “Thunderspy.”," a spokesperson told IT Pro. "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled."

Advertisement - Article continues below

"Since this attack requires physical access, we recommend customers follow security best practices and prevent unauthorized physical access to devices."

Cyber security specialist with ESET, Jake Moore, said Thunderspy is an impressive attack, adding it’s difficult to defend against as there's very little that could mitigate it.

“There is still some simple advice that can be effective: you should never leave your computer unattended for any given time,” he said. “Luckily, given the current social distancing in place, it would seem only your household could be the hacker culprits.

“Being able to alter the firmware of the internal chip and changing the security settings to allow access to any device is impressive, and although Thunderbolt port attacks are nothing new, they can be extremely damaging and infuriatingly difficult to patch. 

“Therefore, in the meantime, I would advise that users avoid connecting unknown or untrusted devices to PC ports, and that the Thunderbolt port isn’t used by those who still work around people or who may be particularly vulnerable to an attack.”

Advertisement - Article continues below

Intel has confirmed it was approached in February with reports of 'Thunderspy' attack, and that researchers were not able to demonstrate successful exploitation with Kernel DMA Protection mitigation enabled.

"For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers," Intel's Director of Communications Jerry Bryant said.

"As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt technology, and we thank the researchers from Eindhoven University for reporting this to us."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020