Leaked Microsoft video shows why Surface PCs don't support Thunderbolt

Surface Laptop 3
Surface Laptop 3 (Image credit: Windows Central)

What you need to know

  • Surface devices don't support Thunderbolt because it's insecure, according to a new video.
  • The video also explains that the Surface Laptop 3's RAM isn't user-upgradeable due to security reasons.
  • Many Surface devices have USB-C ports but do not support Thunderbolt.

A leaked video with an unnamed Microsoft employee explains that Surface devices don't support Thunderbolt because the technology is insecure (via ZDNet). The video emerged thanks to well-known leaker WalkingCat sharing it on Twitter over the weekend. While new Surface devices have USB-C ports and support USB 3, they do not support Thunderbolt.

See more

While Thunderbolt 3 allows quick connections to devices, it has a direct memory access port. The video explains that an attacker with a specific type of memory stick could use that port to gain access to a device's data. Windows 10 wouldn't be able to stop such an attack because of the direct access Thunderbolt provides. The presenter in the video states,

So we don't believe, at this moment, that Thunderbolt can deliver the security that's really needed from the devices. That's why we've opted to integrate USB-C and USB 3 on our devices but have not integrated Thunderbolt on our devices.

The presenter also explains that Microsoft opted against removeable RAM on the Surface Laptop 3 because someone could freeze the memory with liquid nitrogen and read the memory with a specific reader. The presenter states,

If you would be able to physically take out the memory, what you can easily do as well is freeze the memory with liquid nitrogen, get the memory out, then put it in a specific reader.

Even though Microsoft's first-party Surface line doesn't support Thunderbolt, Microsoft has made efforts to make devices that use it more secure. MSPowerusser points out that Windows 10 gained kernel Direct Memory Access (KDP) for Thunderbolt 3 in Windows 10 version 1803. Windows 10 Secure-core PCs can use KDP to stop firmware attacks and ransomware attacks that go after data in the kernel of Windows 10.

Several OEMs utilize Thunderbolt while running Windows 10, including Dell, HP, Razer, and Lenovo, so some companies must feel the security concerns are not severe enough to leave it off devices. Some of Apple's devices running macOS support Thunderbolt, but they notably have Apple's T2 chip, which protects systems. Black Hat explains how the T2 chip secures devices from Thunderbolt-related attacks in an extensive video.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

  • This makes sense but it's still disappointing. Maybe they'll develop something similar to Apple's T2 chip for future Surface Devices. Especially once USB 4.0 comes out.
  • Meh, Thunderbolt, or specifically thunderbolt 3 is just a talking point. USB 3.2 Gen2X2, has the same 20GBps speed as Thunderbolt 2. Thunderbolt 3 is 40 GBbps and nothing is taking advantage of that speed, except for EGpus, which are limited by proprietary driver support, and even then the performance does really line up with the cost. It's still cheaper, for me to by an ultraportable, and a gaming desktop separate, than trying to have a dockable solution ala Razer and the Razer core, and the performance is better
  • I think you're underestimating the performance of E-GPUs. As long as the Thunderbolt port has 4 PCI-E lanes there's almost no performance hit. As someone that has a premium 2-in-1, being able to use an E-GPU saves me a ton of money over having to build a whole tower to get the same specs.
  • E-GPUs don't matter unless you're forced into thunderbolt. Most people would rather build a PC with their choice of GPU/Motherboard/RAM than say, buy into an ecosystem where you're forced to use thunderbolt to do what you used to be able to do for yourself. For those that fantasize about E-GPU and "designer" computers - USB4 can fill that void but i don't think it's a very big market :) Price will always favor internal component and price becomes a critical factor if you're obsessed with performance over appearance.
  • You nailed it. Let's use a real world example. The new Razer Blade STARTS at $1500. The eGPU ENCLOSURE, is another $400. Then it's another 2-300 for a gaming level GPU, if you want esports level? that's 450 AT LEAST. For that money, I can by a $800 laptop or Surface, and buy or build a $1000 gaming rig, and have better performance, cooling, expansion and over clocking and still have money left over
  • But the Razer Core doesn't require Razer hardware; you can use any Thunderbolt 3 compatible laptop. So if you want to use an HP Spectre for its portability and battery life on the go, then plug into an e-GPU enclosure and play games, you've got that option. If the gaming environment you use is a desktop setup where all of your peripherals are connected to the e-GPU enclosure, then now you're talking about simply connecting one cable from the Razer Core to the laptop for power and the entire desktop setup. That's significantly better for plenty of users than maintaining multiple systems, especially if the desktop in your scenario is one they don't have on all the time. I use the setup that you gave as an example. I have the 15" SB2 that I rarely game with if I'm away from home (1060 is actually pretty decent) and a desktop gaming rig with the AMD 5700XT and Oculus Rift. I keep the gaming rig shut down unless I need it, and I often find myself waiting for steam to download the latest Rainbox Six: Siege update or Oculus Rift drivers before I can do anything. Having all of that backgrounded on my laptop whenever it has A/C power and not having to worry about whether things are up-to-date when I finally have time to play some games would be amazing.
  • Do yourself a favor and look up performance and reliability reviews of other devices plugged into the Razor Core. Half of them don't work, and others crash and have performance issues. If you want to do VR. A 1100 laptop (like the Asus ROG Zephrus G14) will handle it fine, no eGPU needed. That costs you less than trying to set up a egaming rig. I have an alienware 15 laptop, if I wanted I could buy their external gpu enclosure, which came out way before and uses their proprietary connection, it's still more expensive, and my 6th gen Intel would now be a bottleneck with that set up. eGPU's have been a thing for years now, notice they haven't taken off. Because they aren't cost effective, and they're bottlenecking
  • As someone that already has an $800 graphics card and a $1400 2-in-1, I can't build a whole tower for the $300 I paid for the Razer Core, nor am I going to buy a gaming laptop when I need something that's ultra portable with inking and all day battery life. And the simplicity of having one device for everything is worth something too. Also, I don't know what you're talking about in terms of reliability, I've never had any compatibility issues with a computer and the Razer Core and I've tried 5 different devices with it, though the only one I've used extensively has been a Spectre x360.
  • Considering this was meant to be an internal talk and not just marketing pr, this makes sense and I believe them. Hopefully they're able to find a workaround to allow it in future devices and feel secure.
  • I think it's a silly, non-sense justification. The SB2 was the first Surface with USB-C. Its CPU didn't have enough PCIe lanes to support TB3, so they didn't go with it. Next, there's the future to look at, and their push for Windows on ARM. At that time, Intel hadn't opened TB3 up to other manufacturers, and even if they had, there's no guarantee that TB3 on ARM would ever be possible (let alone useful, since things like eGPU don't mean much if a game or intensive process is only able to run through emulation). I think the WoARM is the biggest reason for avoiding TB3, due to the confusion that could be created from having some Surface devices work with it while others don't.
  • Why would anyone want to copy memory. 😀Funniest thing I've heard since coronavirus 5g.
  • Your passwords, encryption keys and credit card info. You can give it away if you don't want to keep it safe, just post it here.
  • I think he was being sarcastic
  • The RAM excuse is pretty flimsy. If someone had access to the physical RAM sticks I have in my Envy x360 laptop (which is already tricky to open without the right tools such as a Torx screw in addition to a Phillips screwdriver), which I keep in my private, locked home, I have bigger things to worry about than having my cat memes stolen.
  • I think you're only considering this from a consumer point of view. From an enterprise or large business perspective, this type of thing could be fairly common, which would explain why they are talking points. Corporate espionage, intelligence/counterintelligence and national security are a real concern and people will go above and beyond what we think anyone would to get what they want.
    Consumers just see the affect of it played out in technology, whether we see it as good or bad.
  • You are not a Defense Contractor, or any other kind of security person.
    The amount of attacks upon companies that do US Defense contracts is enormous, and laptops get stolen all the time.
    A common attack is the "USB Stick in the parking lot" attack, where the attacker leaves a booby-traped USB stick in a public place, say, a Coffee Shop near a Defense Contractor, in the hope someone picks it up and plugs it into their company laptop.
    With Thunderbolt, you get DIRECT MEMORY ACCESS from the TB port, something USB 3.2 does not support (that is why it's so fast, very little overhead.)
    Another favorite is the "booby-trapped" USB Charging port at the airport. (Don't EVER use the USB charging ports at the airport. You have no idea what is hiding behind that wall plate.)
    If you can just steal a laptop that is in "sleep" mode (the vast majority of them) that means it just puts the CPU into low power mode, suspends all disk activity, turns off the screen, but the memory STILL gets it's Dynamic Refresh cycles to keep it running. If I steal that laptop and physically take out the memory, I can access any decryption keys that are resident in memory if I am careful to keep the dram refresh cycles running.
    We won't even go into the Row-Hammer attacks upon memory here. I agree that if you have physical access to the laptop, it's pretty much game-over, but hopefully it is fully encrypted with Bitlocker or something similar. The only way to really stop USB attacks is what one guy in a Defense Contractor did; Hot-Melt Glue Gun to the USB ports. That's pretty severe, but it solved his problem for a while, then Bluetooth came along................
  • Good points. I'll also say that things like vPRO and various management software does let IT configure laptops to disable ports for this very reason. HP has this in its BIOS settings, which can be controlled by IT. Even Wi-Fi is disabled on some secure laptops with preferred LTE to be used only.
  • True, but, try telling the CEO/CFO/CLO that you have disabled ALL of the USB ports on their laptops for security reasons, or turned off Bluetooth, or WiFi. (Trust me, it will not go well......) It was a battle to just get them to use Bitlocker (we had to agree to let them have private keys that IT had no access to AD recovery of.)
    It's an oxymoron of security that the people who MOST need security applied to their devices, are the ones who hate it the most and can override any security decisions by IT the easiest (they just tell the CIO to remove their PCs from the list. Voila. Done.)
    I won't even begin to tell you the fun of dealing with the Software Engineers.............
  • Interesting posts, I was not aware of how extreme those attacks got. I mean, I just figured that, as Daniel mentioned below, there would be BIOS-level restrictions to provide that balance between consumer flexibility and enterprise-level security for companies that need it. But I would imagine that you would rely on other physical measures to prevent intruder access to a laptop's internals, such as a heavily-reinforced case or something. With such sensitive data, you would understandably want to pull out all the stops.
  • One thing I would add is that sometimes using power at public locations is unavoidable. I suggest two options to people - 1) USB cable wired only for power with data pins removed or not existent
    2) Carry a battery and charge that instead, using it to charge your device Both of those get around the insecure charging stations issue, which you are completely correct about.
  • 3) Carry a charger, not just the USB cord. Plug it into a wall outlet, not into a USB port.
  • Not always an option. And they make power only USB cables. Those are perfectly safe.
  • And yet the DoD doesn't put Surface devices high on their list. Sure, they're approved, but all I ever see purchases for are Dell and HP, who both support TB3 on most of their laptops. Also, it doesn't address the fact that the DMA concerns are fixed in Windows 10 since 1803.
  • This doesn't make sense. It might be an advantage, but I don't buy it as a primary design decision, and I find it kind of funny that people are buying it so freely. If Microsoft really felt this were a meaningful security measure, then why would they hide the decision? Plus, with the RAM protection provided in newer W10 updates, it would free them up to no longer do this, right? As for the enterprise excuses, they could very well offer "enterprise edition" models that did this as extra security and not do it on consumer models. It also doesn't make sense that they would do this for security, then make it an absurd price hike to upgrade internals at the time of purchase. This is about controlling the product and maximizing profits by minimizing user access to the device, first and foremost. This is a company that took away the bundled pen from the Surface Pro and doubled the pen's cost at the same time. They actually went so far as to build the Surface Laptop's first two iterations with GLUE to stop user access. I don't buy it one bit.
  • You make some interesting points, but all big companies are profit minded, and selling secure products to businesses is one way to do it. (Also: easy-to-repair devices, which explains the Surface Laptop 3.) Also, I would imagine they didn't want this presentation to go public because they didn't want to pointlessly rock the boat with Intel. What I don't understand is why dock manufacturers for enterprise dove into this tech if they knew the flaws, especially the docks that weren't even compatible with non-TB3 connections ...
  • Another explanation is they're waiting for USB4 which offers the same speeds but is royalty free.
  • Thunderbolt has been royalty free since before any Surface device came out with USB-C... https://www.extremetech.com/computing/249902-thunderbolt-goes-royalty-fr...
  • Either way you have to have the pc to access what you are looking for, either way if you loose your PC anybody can access it that way. Sounds like an excused to me. Correct me if I am wrong.
  • Is it possible to mitigate these with custom Processors then, like with those SQ1 they are developing in their Pro X series with Qualcomm? 👀