Micro Focus is now part of OpenText. Learn more >

You are here

You are here

‘Thunderspy’ enlightening—very, very frightening

Richi Jennings Your humble blogwatcher, dba RJA

Seven flaws in Thunderbolt ports let an attacker fully access data on recent PCs and some Macs. Is this just fantasy?

The bugs bypass Intel’s security controls, so malefactors can decrypt drives with ease. Didn’t mean to make you cry.

And the researchers threw shade on Intel for its response to their disclosure. Sends shivers down my spine.

However, the attack isn’t trivial to pull off. In this week’s Security Blogwatch, we see a little silhouetto of a vuln.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Pandemic vs. Planes.

IOMMU, Figaro!

What’s the craic? Andy Greenberg reports—Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking:

Security researchers have long been wary of Intel's Thunderbolt interface as a potential security issue. … On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, [Thunderspy] can bypass the login screen of a sleeping or locked computer—and even its hard disk encryption—to gain full access to the computer's data.

It leaves no trace of intrusion and can be pulled off in just a few minutes. … There's no easy software fix. [It’s] both unpatched and unpatchable for millions of computers.

The fact that Thunderbolt remains a viable attack method for evil maids isn't entirely unexpected, says Karsten Nohl, a well-known hardware security researcher. … Still, he was surprised to see how easily Intel's "security levels" can be bypassed.

Users may want to disable their Thunderbolt port altogether in their computer's BIOS … enable hard disk encryption, and turn their computers off entirely when they leave them unattended.

And Sergiu Gatlan adds—New Thunderbolt security flaws:

The new attack, discovered by Eindhoven University of Technology researcher Björn Ruytenberg, [allows] attackers to steal information from any vulnerable Thunderbolt-enabled device. … "All systems released before 2019, and more recent systems that do not ship Kernel DMA Protection, will remain fully vulnerable to Thunderspy forever," the researcher explains.

For Linux and Windows users, all systems purchased before 2019 are vulnerable … while devices bought during and after 2019 might [be]. Macs from 2011 and older, except for Retina MacBooks, are all impacted.

Intel confirmed that the vulnerabilities are valid but [can] not mitigate the Thunderspy vulnerabilities by issuing a patch [as it] would require a silicon redesign.

Björn who? Björn Ruytenberg—When Lightning Strikes Thrice:

We have found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection. … Thunderspy enables creating arbitrary … device identities and cloning user-authorized … devices, even in the presence of Security Levels pre-boot protection and cryptographic device authentication.

Our research has found the following vulnerabilities:
  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backwards compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp
These vulnerabilities lead to nine practical exploitation scenarios.

We disclosed vulnerabilities 1-5 to Intel on February 10. They wrote on March 10 … that vulnerabilities 3-5 were new to them. After further research we disclosed vulnerability 6, which Intel confirmed on March 17. … We informed Apple of vulnerability 7 on April 17.

In our first email we asked Intel to promptly notify affected parties, in coordination with us. However, Intel did not take any action and finally, after several email exchanges, listed only 5 parties whom they would inform. We then sent them a list of other parties we had identified as affected, including 11 OEMs/ODMs and the Linux kernel security team. Eventually they notified us that they informed some parties on 25 March about the vulnerabilities and upcoming disclosure, without giving us details of what this information consisted of and whom exactly they contacted. We reached out to several more parties after realizing that they had been skipped by Intel.

Yikes, Intel. Jerry Bryant puts on his big-boy PR pants—More Information on Thunderbolt™ Security:

In February 2020, researchers from Eindhoven University of Technology … discussed issues related to invasive physical attacks on Thunderbolt™ hosts and devices. While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled.

We thank the researchers from Eindhoven University for reporting this to us.

Wait, so “nothing to see here”? Shaun Nichols mocks—Incredible how you can steal data via Thunderbolt once you've taken the PC apart, attached a flash programmer, rewritten the firmware...:

Let's be frank: This is, for most people, more of a neat trick than infosec Armageddon. A miscreant would need to have physical access to the machine long enough to unscrew the case, attach an SPI flash programmer with an SOP8 clip to rewrite the Thunderbolt port controller's firmware to unlock access, and then attach a device to the interface to copy data via PCIe and DMA through the port, and then, if necessary, flash back the original firmware and fit the computer back together.

It's not bad news if your threat model already assumed physical access was a game-over scenario. It's not something that can be exploited over the internet or network, or by malware running on your PC or Mac.

Similarly, thereddaikon eyerolls furiously:

This shouldn't be a surprise or revelation to anyone. It's a natural consequence of DMA. The whole point is to access system memory without having to go through the CPU and reduce overhead.

It's an explicit and intentional feature. DMA support allows Thunderbolt to act as external PCIe. Without it eGPU and other accessories wouldn't be possible.

[If] the attacker can physically access the machine, don't let them do it. If they can lay hands on the device you have already lost. That's rule #1 of security.

Um, okay. doublelayer offers a more nuanced view:

While it's not useless, it only works in a relatively small number of cases. And in many of those cases, there is a more direct method of getting access.

It's a good reminder to those who are concerned about an attacker of that level of skill and determination to avoid suspending to memory, but that has been known for some time.

So just epoxy up the TB port? Careful with that ax, Junta:

On some laptops the only charging ports are Thunderbolt ports. So you have to leave the port available or your laptop won't be able to recharge.

But HildyJ has a better use for said glue:

For anyone seriously worried about this, epoxy the screws to case.

Meanwhile, iggymanz cuts to the chase:

If you go to the bathroom and leave your laptop in a coffee shop, you're a naive dumbass.

The moral of the story?

Choose up-to-date hardware, and configure it correctly. And consider disabling suspend.

And finally

Any way the wind blows

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: Keli Black (Pixabay)

Keep learning

Read more articles about: SecurityInformation Security