What you need to know
- An attack method called Thunderspy was recently uncovered.
- Thunderspy utilizes physical access to a device and the Thunderbolt port to gain access to people's data.
- The attack method can work even if a device is locked and has hard disk encryption.
Updated May 12, 2020: A representative reached out to clarify that "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled." We have added this to the article.
Over the weekend, Eindhoven University of Technology researcher Björn Ruytenberg shared details of a new attack method dubbed "Thunderspy." The attack utilizes Thunderbolt ports to access the data of PCs. It affects devices running Windows or Linux made before 2019 as well as some devices made at later dates. The Thunderbolt port is found on millions of computers, leaving a large number of devices vulnerable to an attack. The Thunderspy style of attack requires physical access to a PC but can be accomplished in minutes with the right tools. Wired reported on the attack and added context to the vulnerability.
The Thunderspy attack method can work if a PC is locked and even if it has hard disk encryption. In many cases, this style of attack requires opening parts of a laptop with a screwdriver.
The Thunderbolt port has been utilized as a method of attack in the past. The Thunderclap vulnerability that was revealed last year allowed people to access people's data by plugging a malicious device into a Thunderbolt port. To help with that and other Thunderbolt-related vulnerabilities, Intel created Kernel Direct Memory Access Protection. This protection prevents attacks, including Thunderspy, but is not available on all PCs.
Intel shared details about the attack vulnerability in a post, stating:
In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled.
Despite this statement from Intel, many devices do not have the protection. According to Ruytenberg, Kernel Direct Memory Access Protection isn't available on any computers made before 2019 and is not standard today. As reported by Wired, Eindhoven researchers could only confirm that a few HP and Lenovo devices use the protection. They also reportedly couldn't find any Dell machines that use it, though that seems to be inaccurate. Since our initial report, a representative reached out regarding Dell products, stating, "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled." A question and answer section of the report provides specific details on which devices are affected and provides tools to see if your specific devices are vulnerable.
Rutenberg first notified Intel of the vulnerability three months ago. Intel stated to Wired that, "While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device." Intel also added that "For all systems, we recommend following standard security practices… including the use of only trusted peripherals and preventing unauthorized physical access to computers."
The video which is included in the report demonstrates the how an attacker could take advantage of the vulnerability. The video is just under six minutes long. According to Ruytenberg, the tools in the video only total to around $400, though the method requires an SPI programmer device and a $200 peripheral.
The vulnerability cannot be fixed with software updates. If you are concerned about your device, you should make sure that your device isn't accessed by anyone you don't trust. You can also disable a Thunderbolt port through your system's BIOS. In order to be fully protected, a person would have to disable Thunderbolt in their system's BIOS, enable hard disk encryption, and make sure their device is off when left unattended.
In related news, a leaked video recently shared that Microsoft's Surface devices don't use Thunderbolt due to security concerns.