Serious security flaw lets hackers quickly steal data via Thunderbolt ports

Dell Xps 13 9300 Ports Thick
Dell Xps 13 9300 Ports Thick (Image credit: Windows Central)

What you need to know

  • An attack method called Thunderspy was recently uncovered.
  • Thunderspy utilizes physical access to a device and the Thunderbolt port to gain access to people's data.
  • The attack method can work even if a device is locked and has hard disk encryption.

Updated May 12, 2020: A representative reached out to clarify that "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled." We have added this to the article.

Over the weekend, Eindhoven University of Technology researcher Björn Ruytenberg shared details of a new attack method dubbed "Thunderspy." The attack utilizes Thunderbolt ports to access the data of PCs. It affects devices running Windows or Linux made before 2019 as well as some devices made at later dates. The Thunderbolt port is found on millions of computers, leaving a large number of devices vulnerable to an attack. The Thunderspy style of attack requires physical access to a PC but can be accomplished in minutes with the right tools. Wired reported on the attack and added context to the vulnerability.

The Thunderspy attack method can work if a PC is locked and even if it has hard disk encryption. In many cases, this style of attack requires opening parts of a laptop with a screwdriver.

The Thunderbolt port has been utilized as a method of attack in the past. The Thunderclap vulnerability that was revealed last year allowed people to access people's data by plugging a malicious device into a Thunderbolt port. To help with that and other Thunderbolt-related vulnerabilities, Intel created Kernel Direct Memory Access Protection. This protection prevents attacks, including Thunderspy, but is not available on all PCs.

Intel shared details about the attack vulnerability in a post, stating:

In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled.

Despite this statement from Intel, many devices do not have the protection. According to Ruytenberg, Kernel Direct Memory Access Protection isn't available on any computers made before 2019 and is not standard today. As reported by Wired, Eindhoven researchers could only confirm that a few HP and Lenovo devices use the protection. They also reportedly couldn't find any Dell machines that use it, though that seems to be inaccurate. Since our initial report, a representative reached out regarding Dell products, stating, "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled." A question and answer section of the report provides specific details on which devices are affected and provides tools to see if your specific devices are vulnerable.

Rutenberg first notified Intel of the vulnerability three months ago. Intel stated to Wired that, "While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device." Intel also added that "For all systems, we recommend following standard security practices… including the use of only trusted peripherals and preventing unauthorized physical access to computers."

The video which is included in the report demonstrates the how an attacker could take advantage of the vulnerability. The video is just under six minutes long. According to Ruytenberg, the tools in the video only total to around $400, though the method requires an SPI programmer device and a $200 peripheral.

The vulnerability cannot be fixed with software updates. If you are concerned about your device, you should make sure that your device isn't accessed by anyone you don't trust. You can also disable a Thunderbolt port through your system's BIOS. In order to be fully protected, a person would have to disable Thunderbolt in their system's BIOS, enable hard disk encryption, and make sure their device is off when left unattended.

In related news, a leaked video recently shared that Microsoft's Surface devices don't use Thunderbolt due to security concerns.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

17 Comments
  • So if you were waiting for a thunderbolt equipped Surface in the fall... No.
  • USB 4 is Coming Soon™.
  • So Microsoft's comments about the lack of security on Thunderbolt ports were valid after all. Go figure.
  • Or maybe, if you kept track of your computer,
    you wouldn't lose physical access to it.
    later
    -1
  • There is no world where a person can keep their laptop in sight 24/7/365. While this is not a way of doing mass attacks, it is a way to do targeted ones, such as against executives or government officials. I've been saying for a while that if you are not using TB explicitly, disable it in the BIOS. Many laptops give you the ability to revert that port to USB-C mode.
  • Exactly my thinking.
    Just think about all these execs and government workers that travel a ton, their hotel rooms can easily be opened, and their device comprised before they know it.
    Once you get into these targeted systems, you are in the systems of whomever they work for.
  • This still doesn't help. A BIOS reset is easy even if bios is password locked with physical access all bets are off
  • It's a lot harder on a laptop than on a desktop. Also security is about layers, not the idea that any one thing is a perfect defense.
  • How short-sighted. There are offices full of people who do things like go to lunch, meetings, breaks and don't shut down their computer. Executives who leave their system docked while they meander about the building. I don't need to lose my computer for someone to have access to it for 5 minutes. Can you really be that naive?
  • Yeah... They don't care: Give us Thunderbolt or your device is trash!
  • Physical access. What else is new.
    Of course you can do a lot of damage when that is true.
    Sounds like a non-issue. hype. later
    -1
  • OMG YOU ARE SO COOL
  • This seems like a hell of a lot of work, if someone is opening up your laptop to do this you've got bigger issues than a Thunderbolt port.
  • Or you have one bad actor in the IT department. Most hacks are internal.
  • Frankly speaking, in this case they don't need Thunderspy to get what they want at all.
    In most cases it's much easier to hack your computer than the way mentioned in the article as most users can't follow all the security rules 100% time. The hack is meaningful because it's provided a way to access your data when have the device being obtained physically for per-longed time, e.g., stolen, robbed, confiscated. I think it's meaningful in many cases, but don't over extravagated it.
  • Years ago, Microsoft was saying that it was in "talks" with Intel about the implementation of Thunderbolt. I wonder how long Microsoft has known about the vulnerability. Also, I wonder how long Intel has known...
  • While the number of people for whom this is a genuine issue is small, I'd suggest that the number of people for whom not having Thunderbolt is an issue is even smaller. Of course tech enthusiasts want all the latest and greatest features but the percentage of the computer-using public who frequent sites like this is tiny and even most of us don't really care to much for our own usage. Thunderbolt is genuinely important for some people but, sometimes, it seems that those people think that they are a bit more important than they actually are.