Eindhoven University of Technology security researcher Bjrn Ruytenberg identified "Thunderspy", a series of vulnerability concerning technology Thunderbolt (all versions) and therefore devices equipped with a dedicated port, from Apple MacBooks to Windows notebooks, from 2011 to 2020. According to the researcher, Thunderspy it leaves no trace and bypasses all the security solutions of Thunderbolt technologythus allowing to spy on a system, in many cases "without the victim noticing".
For this to happen, an attacker "must have a short physical access to the system ", after which it can read and copy all data, "even if the disk was encrypted and your computer was frozen or suspended". The method is based on around $ 400 in equipment, but it also requires a device to program SPI memory and a $ 200 peripheral for the DMA attack that bypasses the lock screen. According to the researcher, the whole solution could be incorporated into a single device for about $ 10,000. "An agency made up of three letters (like the CIA, the FBI, etc.) would have no problem miniaturizing the whole thing," he said.
"Thunderspy works even if you follow best security practices by locking or suspending your computer when you leave it briefly and if the system administrator has set the device with Secure Boot, strong BIOS and operating system passwords and enabled full encryption of the all that the attacker needs are all alone 5 minutes with the computer, a screwdriver and easily portable hardware". The researcher has identified seven vulnerabilities and nine exploit scenarios that he defines "realistic"; he even created a free and open source tool, Spycheck, to determine if he has a vulnerable system.
"We have demonstrated the ability to create arbitrary identities of Thunderbolt devices, clone user authorized Thunderbolt devices and finally get PCIe connectivity to perform DMA attacks. Moreover [] we have shown the possibility of permanently disable Thunderbolt security and block all future firmware updates"reads a website dedicated to Thunderspy.
"Some systems since 2019 offer so-called Kernel DMA Protection, and are partially vulnerable," adds the researcher. "Flaws cannot be resolved via software and also affect future standards USB 4 and Thunderbolt 4, and require a redesign of the chips".
Intel, who developed the technology, it seems for di different notice and not very worried. "La basic vulnerability not new, ed been addressed in versions of the operating system last year; the researchers demonstrated potential new physical attack vectors using a custom peripheral on systems where these mitigations were not enabled, "reads a post.
"In 2019 the main operating systems implemented the Kernel Direct Memory Access (DMA) protection that mitigate attacks like these. These include Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later) and macOS (macOS 10.12.4 and later). Researchers have not shown effective DMA attacks on systems with these active mitigations"added Intel, however, adding that it is always advisable to use secure peripherals and not to leave physical access to unauthorized persons. Intel still promises that it will continue to improve Thunderbolt's security.
As explained by the researcher on Wired, Kernel DMA protection would not be universally implemented and Thunderbolt devices made before 2019 would be incompatible with this solution. The researcher added that he had not tracked Dell systems with Kernel DMA Protection active, including those of 2019 and later, while only some recent HP and Lenovo models would have implemented it adequately. There would therefore be millions of PCs exposed.
In short, if on the one hand the problem exists, complete with video demonstration, at the same time there would seem to be mitigations already (so Intel says at least), without forgetting that the attack requires physical access to the PC and hardware to hoc to be accomplished. In short, not an attack that can be carried out by anyone and it cannot be considered a common case. Perhaps the real problem is OEMs and their proactivity in implementing security measures, but given the discordant positions early to point the finger.
As for the world Apple instead, computers would be totally vulnerable when running Bootcamp, while they would be partially vulnerable with macOS running. It should be remembered in conclusion that Microsoft recently motivated the absence of Thunderbolt ports on Surface devices by calling into question "security reasons". Evidently in Redmond, despite the measures integrated in Windows, they seem to see it more as the researcher than as Intel.
