A Dutch researcher has unearthed critical flaws in Intel’s Thunderbolt interface that allow an attacker to hack a vulnerable system in minutes.
If your computer is equipped with a Thunderbolt port and was manufactured before 2019, then it’s most likely susceptible to a stealth compromise codenamed Thunderspy. It allows an attacker to exploit the interface for bypassing the regular authentication and gaining a foothold in the machine even if it is locked and its hard drive is encrypted. All it takes is direct physical access to the laptop for less than 10 minutes, plus a kit of devices worth a few hundred dollars. This type of intrusion is commonly referred to as an “evil maid attack” because its logic fits into a classic hotel room scenario featuring a snoop in disguise who wants to access a temporarily unattended computer and pilfer data. If the stars align for the criminal, they’ll need to unscrew the laptop’s back cover, attach an SPI flash programming device to the Thunderbolt chip, reprogram the firmware, screw the cover back where it belongs, and easily circumvent all system defenses to get hold of the victim’s data.
Björn Ruytenberg, researcher from the Eindhoven University of Technology who identified the flaws and spread the word about them, emphasizes that all machines using Thunderbolt released in 2011-2020 are low-hanging fruit in terms of this hack. Major operating systems have implemented the Kernel Direct Memory Access protection mechanism since 2019, so the latest models should be on the safe side. This technology is a game-changer due to the very gist of the Thunderbolt interface: it enables lightning-fast data transfers by employing direct access to a computer’s memory. This is great from a user experience perspective, but it also makes the port a potential single point of failure and a goldmine of malicious opportunities to access systems. The wakeup call was last year’s proof of concept dubbed Thunderclap. Demonstrated by security enthusiasts, it allowed harmless-looking DisplayPort or USB-C peripherals to become a launchpad for direct memory access (DMA) facilitating malicious code execution and data theft attacks via a Thunderbolt port.
According to the recent findings of Ruytenberg and his colleagues, the Thunderspy incursion vector is mostly an issue for Windows PCs and Linux computers whose security barriers are completely circumvented in the aftermath of the exploitation. Machines running macOS are “partially affected”, with the impact bearing a resemblance to the BadUSB technique first reported in 2014. In other words, Thunderspy gives a malefactor’s booby-trapped hardware elevated privileges so that it can act as a keyboard, a network card, or virtually any other USB-enabled device. With this trick in place, the malicious peripheral can furtively type and invoke arbitrary pre-assigned commands or cause the target Mac computer to connect to harmful websites.
The white hats notified Intel of these flaws on February 10, 2020. A month later, the vendor confirmed the issue and stated that they would officially inform the affected parties. Apple became aware of the macOS vulnerabilities in mid-April. A serious roadblock to solving the problem is that this is a hardware imperfection and it cannot be fixed by rolling out a software update. To stay safe, those affected should consider disabling the Thunderbolt port in BIOS settings if it’s not in use. An additional precaution is to enable hard disk encryption. Furthermore, users should completely shut down their machines rather than simply lock or put them to sleep when they aren’t nearby for a while.