Five Minute 'Physical Access' Attack Exposes Millions of PCs to Thunderbolt Vulnerability
A vulnerability in Intel's Thunderbolt port, which is found in millions of PCs, allows an attacker with only minutes of physical access to the device to read and copy all of its data.
"This can even occur if the drive is encrypted and the computer is locked or set to sleep," said researcher Björn Ruytenberg, who exposed the vulnerability and named the attack Thunderspy. "It is stealth, meaning that you cannot find any traces of the attack. There is no phishing link or malicious piece of hardware that the attacker tricks you into using."
Ruytenberg showed in a YouTube video how only five minutes was needed to hack a laptop and all that was needed was a screwdriver and portable hardware.
Previously, Thunderbolt had shown it was a viable entry point during 'evil maid' Direct Memory Access attacks where data was stolen from encrypted drives and system memory was copied. Intel introduced 'Security Levels', a system which allowed users to authorize trusted Thunderbolt devices only and provided 'cryptographic authentication of connections' designed to prevent devices from spoofing user-authorized devices.
However, Thunderspy broke the primary security claims for Thunderbolt 1, 2, and 3 ports and Ruytenberg found seven vulnerabilities:
1. Inadequate firmware verification schemes
2. Weak device authentication scheme
3. Use of unauthenticated device metadata
4. Downgrade attack using backwards compatibility
5. Use of unauthenticated controller configurations
6. SPI flash interface deficiencies
7. No Thunderbolt security on Boot Camp
"These vulnerabilities lead to nine practical exploitation scenarios," said Ruytenberg.
These include creating arbitrary Thunderbolt device identities, cloning user-authorized Thunderbolt devices, obtaining PCIe connectivity to perform DMA attacks, and permanently disabling Thunderbolt security and blocking all future firmware updates.
All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable," concluded Ruytenberg. "The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign."
Further details can be found at: Björn Ruytenberg. Breaking Thunderbolt Protocol Security: Vulnerability Report.2020.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.