Thunderspy vulnerability in Thunderbolt 3 allows hackers to steal files from Windows and Linux machines
Security researcher Björn Ruytenberg has revealed details of a vulnerability in the Thunderbolt 3 standard. The security flaw means that it is possible for a hacker with physical access to a computer to copy data even if the files are encrypted and the computer is locked.
The vulnerability affects all systems with Thunderbolt ports that shipped between 2011 and 2020, but some systems that shipped since 2019 have Kernel DMA Protection which means they are only partly at risk. Testing tools are available for both Windows and Linux so you can check to see if your computer is vulnerable.
See also:
- Zoom is gaining end-to-end encryption following acquisition of Keybase
- Zoom 5.0 is a major update with enhanced encryption and more security options
- Zoom has another security update on the way to cut down on Zoombombing
Writing about his findings, Ruytenberg explains that Thunderspy is a stealth attack that leaves no traces, and no form of phishing or social engineering is needed. Another particularly worrying feature of the vulnerability is just how quickly it can be executed. In all, a total of seven vulnerabilities were found in Intel's Thunderbolt 3 implementation. Intel, Apple and 11 OEMs/ODMs and the Linux kernel security team have been notified about the problems.
Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.
You can see the attack being carried out in the video below:
You can download Spycheck for Windows or Spycheck for Linux to find out if your computer is at risk. The bad news is that there isn't a fix available for these vulnerabilities at the moment. If your system is found to be at risk, all you can really do is to follow the best practice advice of not leaving your computer unattended.
Intel has responded to the vulnerability with a blog post in which Jerry Bryant, director of security communication in the Intel Platform Assurance and Security group, says:
In February 2020, researchers from Eindhoven University of Technology reached out to Intel with a report on Thunderbolt™, which they refer to as "Thunderspy".
In the report, they discussed issues related to invasive physical attacks on Thunderbolt™ hosts and devices. While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled.
In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.
For additional resources, refer to the Microsoft article on Thunderbolt™ Security in Windows 10 and the corresponding article from Intel in 2019.
As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt™ technology, and we thank the researchers from Eindhoven University for reporting this to us.