Intel Confirms "Thunderspy" Risk in Thuerbolt Devices
A Thunderbolt flaw could let hackers steal your data within minutes, and grab encrypted data even if you lock your PC.
Researchers from Eindhoven University of Technology last February reached out to Intel with a report on Thunderbolt, which they refer to as “Thunderspy”.
In the report, they discussed issues related to invasive physical attacks on Thunderbolt hosts and devices. While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled.
Attackers could steal data from Thunderbolt-equipped PCs or Linux computers, even if the computer is locked and the data encrypted, according to security researcher Björn Ruytenberg. Using a simple technique called “Thunderspy,” someone with physical access to your machine could nab your data in just five minutes with a screwdriver and “easily portable hardware,” he wrote.
Thunderbolt is giving devices direct access to your PC’s memory, which also creates a number of vulnerabilities. Ruytenberg’s attack method is changing the firmware that controls the Thunderbolt port, allowing any device to access it.
The attack requires about $400 worth of gear, including an SPI programmer and $200 Thunderbolt peripheral.
In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled.
However, that protection is only available on computers made in 2019 and later.
Obviously, a tiny percentage of users would ever be attacked in this way. This is not an over-the-air malware attack, with code planted on your machine through a malicious email attachment. This is a targeted and high-risk attack, your physical machine needs to be accessible and there needs to be a serious reason for an attacker to want to pull your data.
Intel suggests users should check with their system manufacturers to determine if their system has these mitigations incorporated. For all systems, Intel recommends following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.
To protect yourself, you should “avoid leaving your system unattended while powered on, even if screenlocked,” Ruytenberg says, avoid using sleep mode and ensure the physical security of your Thunderbolt peripherals.