New Thunderbolt hack exposes your files: How to check if you’re safe [Updated]

Chris Davies - May 11, 2020, 7:47 am CDT
New Thunderbolt hack exposes your files: How to check if you’re safe [Updated]

A new Thunderbolt vulnerability could allow hackers to bypass a laptop’s security and access its files – regardless of your password – in a matter of minutes, researchers have announced. Dubbed Thunderspy, the exploit can be used on computers with encrypted drives, though it requires physical access to the notebook and Intel says that recent OSes, including Windows, macOS, and Linux, have been patched against the hack.

It’s not the first time we’ve seen Thunderbolt blamed for security issues. Last year, another exploit known as Thunderclap was discovered, which could allow a malicious USB-C or DisplayPort accessory to compromise a computer.

The exploit that Thunderspy relies upon was identified by Björn Ruytenberg, a researcher from the Eindhoven University of Technology. “Thunderspy is stealth, meaning that you cannot find any traces of the attack,” he explains. “It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption.”

It’s not quite as simple as plugging in a Thunderbolt 3 device and instantly being granted access, mind. It works by creating arbitrary Thunderbolt device identities – which would usually be generated for authentic accessories when they’re connected – and cloning user-authorized Thunderbolt devices. To do that, a hacker would need physically access to the target PC, as well as time and opportunity to actually open it up and attach a specially-constructed piece of hardware.

Still, it’s enough to suggest that all Thunderbolt-equipped systems shipped between 2011 and 2020 are vulnerable, Ruytenberg says. He’s released a tool known as Spycheck to identify whether systems are open to being compromised.

Whether your PC, Mac, or Linux box is will depend on what version of its software it’s running. In a response from Intel, the chip-maker points to changes made to OSes last year.

“In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these,” Intel’s Jerry Bryant, Director of Communications for Product Assurance and Security, writes. “This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled.”

For Windows 10 systems purchased before 2019, Ruytenberg says, there’s no fix to avoid the Thunderspy exploit. Those purchased in or after 2019 may have the Kernal DMA support that Intel discusses. The same applies to Linux machines.

As for macOS, according to an Apple statement only certain aspects of Thunderspy apply. “Some of the hardware security features you outlined are only available when users run macOS,” the company told Ruytenberg. “If users are concerned about any of the issues in your paper, we recommend that they use macOS.”

[Update: An Apple spokesperson pointed us to a presentation by Ivan Krstić, Head of Security Engineering and Architecture, in which he specifically discusses the work the company did to prevent these malicious DMA attacks. “Intel introduced a technology called VT-d, which is a way to initialize an input output memory management unit to manage those kinds of DMA transfers,” Krstić explains in the talk, from around the 3 minute mark. “We have used this technology to protect the kernel since OS X Mountain Lion in 2012.”

Because of those customizations, “by the time you could plug in a Thunderbolt accessory it was contained with VT-d and it could no longer do malicious DMA” he continues. In 2015, Intel demonstrated that VT-d could be used inside UEFI firmware to protect a computer before the OS had loaded, while the BIOS was booting. Apple updated to reflect that, moving VT-d to UEFI initialization, in 2016, Krstić says, to prevent a malicious Thunderbolt accessory from having an affect if plugged in before the OS had booted. It’s worth noting that these modifications are based on macOS, and as such if you use Boot Camp to run Windows or Linux you’re not covered by them – hence Apple’s comment to the Thunderspy researchers.]

Without a comprehensive or relatively easy fix for Windows PCs and Linux machines, the general advice is caution about what you connect to your Thunderbolt-quipped system, and when you leave it unattended – even if locked. For most, this hands-on hack won’t be a particularly pressing concern, but those who are especially at-risk due may want to disable Thunderbolt completely in the UEFI (BIOS), it’s suggested.

Must Read Bits & Bytes