Over the weekend, Eindhoven University of Technology researcher Björn Ruytenberg shared details of a new attack method dubbed “Thunderspy.” The attack utilizes Thunderbolt ports to access the data of PCs. It affects devices running Windows or Linux made before 2019 as well as some devices made at later dates. The Thunderbolt port is found on millions of computers, leaving a large number of devices vulnerable to an attack. The Thunderspy style of attack requires physical access to a PC but can be accomplished in minutes with the right tools. Wired reported on the attack and added context to the vulnerability.
The Thunderspy attack method can work if a PC is locked and even if it has hard disk encryption. In many cases, this style of attack requires opening parts of a laptop with a screwdriver.
The Thunderbolt port has been utilized as a method of attack in the past. The Thunderclap vulnerability that was revealed last year allowed people to access people’s data by plugging a malicious device into a Thunderbolt port. To help with that and other Thunderbolt-related vulnerabilities, Intel created Kernel Direct Memory Access Protection. This protection prevents attacks, including Thunderspy, but is not available on all PCs.
Intel shared details about the attack vulnerability in a post, stating:
In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled.
Despite this statement from Intel, many devices do not have the protection. According to Ruytenberg, Kernel Direct Memory Access Protection isn’t available on any computers made before 2019 and is not standard today. As reported by Wired, Eindhoven researchers could only confirm that a few HP and Lenovo devices use the protection and couldn’t find any Dell machines that use it. A question and answer section of the report provides specific details on which devices are affected and provides tools to see if your specific devices are vulnerable.
Rutenberg first notified Intel of the vulnerability three months ago. Intel stated to Wired that, “While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device.” Intel also added that “For all systems, we recommend following standard security practices… including the use of only trusted peripherals and preventing unauthorized physical access to computers.”
The vulnerability cannot be fixed with software updates. If you are concerned about your device, you should make sure that your device isn’t accessed by anyone you don’t trust. You can also disable a Thunderbolt port through your system’s BIOS. In order to be fully protected, a person would have to disable Thunderbolt in their system’s BIOS, enable hard disk encryption, and make sure their device is off when left unattended.
In related news, a leaked video recently shared that Microsoft’s Surface devices don’t use Thunderbolt due to security concerns.