Thunderbolt leak gives physical attacker access to locked PC
Various vulnerabilities in Thunderbolt 1, 2, and 3 allow an attacker with physical access to a locked computer to unlock the system. States a Dutch security researcher Björn Ruytenberg of Eindhoven University of Technology.
The issue affects all Thunderbolt equipped systems released between 2011 and 2020. It does not matter whether the target is running Linux or Windows. MacOS is partly vulnerable. Macs running via Boot Camp Linux or Windows are completely vulnerable. To perform the attack, dubbed by Ruytenberg Thunderspy, an attacker must first open the armed system. Then, the vulnerabilities found make it possible to reprogram the Thunderbolt firmware.
Intel developed “Security Levels” to prevent abuse through the Thunderbolt port. Through this security measure, the system only accepts Thunderbolt devices that are user approved or it is possible to disable Thunderbolt in the operating system. However, by reprogramming the firmware, it is possible to change the security level entered to accept arbitrary Thunderbolt devices. The adjustment made is not visible to the operating system.
After an attacker modifies the firmware, he can connect his own Thunderbolt device to bypass the computer’s screen lock. The entire attack can be carried out within five minutes. According to Ruytenberg, the Thunderspy vulnerabilities cannot be remedied with a software update. Some systems equipped with Kernel DMA Protection, which was introduced to protect against the Thunderclap attack unveiled last year, are partially vulnerable, the researcher said. Kernel DMA Protection is not yet available on all new computers, and many 2019 Thunderbolt devices are not compatible with the security measure.
Ruytenberg developed a tool for Linux and Windows called Spycheck that allows users to check whether their system is at risk. If you want to protect yourself against a Thunderspy attack, you are advised to apply hibernation (Suspend-to-Disk) or to completely shut down the system. In any case, users should avoid leaving a locked computer unattended. When not using Thunderbolt, users are advised to disable the interface via the UEFI / BIOS. In this video , Ruytenberg demonstrates the attack.
https://www.youtube.com/watch?v=7uvSZA1F9os
