Eindhoven University of Technology researcher Björn Ruytenberg has revealed that Intel’s high-speed interface, Thunderbolt, suffers from seven vulnerabilities that allow malicious users to read and copy all of a host machine’s data, even if the drives are encrypted. Although physical access is required, the attack method – which Ruytenberg has dubbed “Thunderspy” – leaves zero traces and can be exploited in as little as five minutes with a screwdriver and portable hardware.
Thunderspy comprises the following attacks, which affect all three iterations of Thunderbolt:
- Inadequate firmware verification schemes
- Weak device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backwards compatibility
- Use of unauthenticated controller configurations
- SPI flash interface deficiencies
- No Thunderbolt security on Boot Camp
“These vulnerabilities lead to nine practical exploitation scenarios.” Ruytenberg explains. “In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.”
Unfortunately, these vulnerabilities cannot be fixed in software and affect all Thunderbolt-equipped systems between 2011 to 2020. Ruytenberg has released a free and open-source tool, Spycheck, for those who’d like to confirm whether their machines are affected by Thunderspy.