A new security breach in Thunderbolt has been reported by researcher from Eindhoven University of Technology, Björn Ruytenberg. And it’s from the fat ones. It affects tens of millions of machines that use the Intel interface with Windows and Linux, and cannot be patched via software.
The security flaw in Thunderbolt affects all personal computers with this interface manufactured before 2019 and also current ones, as long as they are not protected with a security mechanism known as Kernel Direct Memory Access Protection that Intel offered at the time. Manufacturers like HP and Lenovo have incorporated techniques to prevent these types of direct memory attacks through the port on most business computers and workstations.
The failure is critical and cannot be repaired via software or firmware, only acting on silicon, although it should be clarified that the exploitation of this vulnerability cannot be carried out remotely and requires physical access to the equipment in question, which limits its dangerousness. In fact, the attack technique is not easy, it requires opening the computer, connecting a hacking device and reprogramming the firmware.
Of course, “Thunderspy”, as they have called this technique, is extremely dangerous, for example if someone takes your equipment in a hotel or means of transport. The attack can be implemented in less than five minutes and leaves no trace on the equipment. You can bypass the login screen and even encrypt the disk drive for full access to computer data. It affects Windows and Linux machines. Apple computers with macOS are not affected.
Thunderbolt: very fast, but less secure
Researchers have long been wary of the security of Intel’s Thunderbolt and may be a problem for future standards that will use it as USB4 in a very important integration for the industry. A year ago, a team of university researchers created an open source programmable gate array (FPGA) platform called “Thunderclap”, to demonstrate that an attacker could gain control of computers exploiting a set of vulnerabilities in the Thunderbolt port.
Known for some years and partially patched, the researchers explained that “Thunderclap” allows attacks on almost any computer or server with Thunderbolt input / output ports and PCI-Express connectors using malicious DMA-enabled peripherals.
And herein lies the problem. Thunderbolt is the fastest external interface port for peripherals and equipment. And in part it succeeds because it offers direct access to low-level memory (DMA) with much higher privilege levels than traditional USB peripherals.
How to check if the new security flaw in Thunderbolt affects you?
The researcher has created an open source tool that allows verifying if a computer is affected by this vulnerability, as follows:
On Windows machines
Go to the website created by the researcher and download “Spycheck for Windows”. Extract the Zip file.
Double-click the “Spycheck” file to run the tool.
Select the language and accept the GPLv3 license.
The Thunderspy tool will try to detect the Thunderbolt driver on your system. During the process, the tool may ask you to install additional custom drivers or to enter power saving mode.
After the inspection, Thunderspy will present a detailed summary of the analysis for a more detailed report.
On Linux machines
Go to the website and download “Spycheck for Linux”.
Open the terminal and run the command (with root privileges) “$ sudo python3 spycheck.py”.
Spycheck will show you a detailed report. You can export the report to JSON using the command “-o FILE.json”.
Remember that there is no 100% solution for this security flaw in Thunderbolt, type of attack «Thunderspy», as there was not completely for «Thunderclap», although security technologies that use the Kernel DMA Protection proposed by Intel (such as HP’s Sure Start Gen5) can mitigate attacks.
The researchers suggest to users concerned about this threat that they disable Thunderbolt in the BIOS / UEFI and thus the port will continue to function as a USB port. Another option – more balanced – is do not leave laptops unattended and take the utmost care with the accessories or peripherals that we click on the port, because developments like Thunderclap or any other similar, need physical access to the equipment.