Eindhoven University of Technology researcher Björn Ruytenberg revealed the details of a new attack method he's calling Thunderspy - which targets devices with a Thunderbolt port. 

Thunderbolt, explains Ruytenberg, is a high-bandwidth interconnect promoted by Intel and included in laptops, desktops, and other systems. Being PCIe-based, Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O, he says. In an evil maid DMA attack, where adversaries obtain brief physical access to the victim system, Thunderbolt has been shown to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory, he adds. In response, Intel introduced Security Levels, a security architecture designed to enable users to authorize trusted Thunderbolt devices only and is said to provide “cryptographic authentication of connections” to prevent devices from spoofing user-authorized devices.

Ruytenberg presented Thunderspy, a series of attacks that break all primary security claims for Thunderbolt 1, 2, and 3. So far, he found the following vulnerabilities:

  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backwards compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp

Thunderspy is stealth, meaning that you cannot find any traces of the attack, notes Ruytenberg - it does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Ruytenberg warns that the attack works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware, claims Ruytenberg.

Ruytenberg notes that the Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign. He encourages users to determine whether they are affected using Spycheck, a free and open-source tool he and other researchers have developed that verifies whether their systems are vulnerable to Thunderspy. If it is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.

Hank Schless, Senior Manager, Security Solutions at Lookout, says, "Whether on a laptop or a mobile device, direct access to the device gives the attacker free rein to load malware. In the case of mobile, the most likely attack chain would be to jailbreak the device and load spyware or surveillanceware. These types of malware give the attacker direct access to everything on the device, including the ability to log keystrokes, steal logins to corporate apps, and steal other personal data."

Any time someone requests physical access to your device, whether a laptop, phone, or tablet, there is cause for concern, he says. "Being able to load a malicious payload directly to the device bypasses many security tools with the attacker leaving no trace of meddling with the device. Even something as simple as a stranger asking to charge their device on your laptop could be a way for them to load malware. In order to protect themselves, consumers should always have their devices in their possession and not let anyone they don't know have access to their device," he adds. 

Attacks like this that have to take place in-person can pose just as much of a threat to an organization as over-the-air attacks, Schless notes. "If employees are frequently on the road, they are constantly handing their phones and laptops over to border agents. Sometimes, those devices are taken out of sight by an agent and returned in what seems like the same state, but in the case of a mobile phone or tablet it could have easily been jailbroken and had spyware loaded on without the user's knowledge," he says.

Enterprises, he claims, should ensure that devices have endpoint security on them, whether for mobile devices or for laptops, that can check the health of the device before allowing it to access corporate infrastructure. "With this capability, the device will be blocked from accessing anything internal to the organization if it's flagged for being infected with malware," Schless explains. "The entire organization is protected, and IT and security teams are alerted that the device is infected and can put policies in place for next steps according to their corporate security posture."

Alex Useche, Senior Consultant at nVisium, notes that if an attacker can use Thunderspy to access your laptop account, they would be able to access all your files and even impersonate your accounts, as applications like Outlook rarely require users to re-enter their credentials. "The impact is much more significant if your laptop logs in to the internal network automatically without requiring additional authentication, as now attackers have access to your company's data," Useche says. "Consumers who misplace and lose their laptops at a public place may often find comfort on the fact that their laptops are at least secured by a password. Thunderspy throws that protection out the window. This is especially true in cases where the only password needed to access a user's files in the Windows password. As a result, it becomes even more necessary to avoid leaving laptops unattended, whether at a public space, at the office, or even a hotel room."

For more information, please visit Björn Ruytenberg's blog at https://thunderspy.io/