Björn Ruytenberg, a researcher at Eindhoven University of Technology, discovered a security flaw in Intel’s Thunderbolt ports, common to many laptops produced before 2019.
“If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep,” -said Björn
Ruytenberg is calling the attack “Thunderspy,” and it impacts millions of Apple, Windows, and Linux machines. As such, the threat not only impacts the Thunderbolt 1 and 2 protocols, which look the same as a Mini DisplayPort (see the top right image above)—chunkier, and more cubic—but also Thunderbolt 3, which looks just like a USB-C port.
WHAT IS THE ATTACK
The attack which hackers can propagate through the Thunderbolt connection in less than 5 minutes, is called an evil maid direct memory access (DMA) attack. Bad actors can use that entry point to steal data from encrypted drives, reading and writing all of the system memory.
SEE THUNDERSPY VULNERABILITY IN ACTION
Thunderspy PoC demo 1: Unlocking Windows PC in 5 minutes
Intel Adopted Safety Mitigation Protocols
On May 10, Jerry Bryant, director of communications for Intel’s product assurance and security operations, wrote in a statement that Intel adopted some safety mitigation protocols last year as a response to a similar type of attack called Thunderclap.
DMA Attacks Prevention
Called Kernel DMA Protection, it’s meant to enable users to authorize only trusted Thunderbolt devices to prevent DMA attacks. However, it’s only present on systems shipped out after 2019, meaning older devices dating back to 2011 are still vulnerable.
“The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled,” Bryant wrote. “For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.”
Protect From Thunderspy
Unfortunately, the Thunderspy vulnerabilities can’t be fixed in software. This will require a silicon redesign down the road, or else it will also hurt the forthcoming Thunderbolt 4 technology.
Use of Free Software
To protect yourself from the attack, you should first consider running Ruytenberg’s Spycheck software, which is free and open-source, to verify whether or not your system is vulnerable to a Thunderspy attack. If your system is at risk, Spycheck will guide you through some recommendations to protect yourself.
Some Recommendation You May Follow
- Connect only your own Thunderbolt peripherals. Never lend them to anybody.
- Avoid leaving your system unattended while powered on, even when the screen is locked.
- Avoid leaving your Thunderbolt peripherals unattended.
- Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
- Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).
You May Choose to Disable Thunderbolt
And if you don’t need to use Thunderbolt, Ruytenberg strongly recommends disabling the Thunderbolt controller entirely in UEFI (BIOS). Just remember: This renders all Thunderbolt ports inoperable, including USB and DisplayPort connectivity. However, USB-C charging will most likely remain functioning.
Better Safe Than Sorry
While it’s extremely unlikely you’ll fall victim to this sort of hack, it’s better to be safe than sorry, and the easiest thing you can do to protect yourself is to just keep your laptop in a safe place at all times. This attack can never work if you’re vigilant.