A new attack method enables bad actors to access
data on a locked computer via an evil maid attack within 5 minutes
Millions of computers
sporting Intel’s Thunderbolt ports are open to hands-on hacking attempts due to
vulnerabilities in this hardware interface, according to research by Björn Ruytenberg, a security researcher at Eindhoven University of Technology in The
Netherlands. Dubbed Thunderspy, the attack method affects Thunderbolt-equipped
machines manufactured between 2011 and 2020 and is a concern with machines
running any of the three major operating systems – Windows, Linux and, to a
lesser extent, macOS.
To snatch data from a PC
through a so-called evil maid attack, all a bad actor would need is a few minutes, physical access to the
device, and some off-the-shelf equipment. “All the evil maid needs to do is
unscrew the backplate, attach a device momentarily, reprogram the firmware,
reattach the backplate, and the evil maid gets full access to the
laptop,” Ruytenberg told Wired, adding that the whole process could be managed within five minutes. A
total of 7 vulnerabilities were found to affect Thunderbolt versions 1 through
3 and they’re all listed out in detail in the research paper.
The attack method works
even if you follow cybersecurity best practices, such as locking your computer
when stepping out for a moment and using strong passwords and measures such as full disk encryption. Above all, the attack leaves no traces.
As a proof of concept,
Ruytenberg developed a firmware patching toolkit called Thunderbolt Controller
Firmware Patcher (tcfp), which allows him to disable Thunderbolt security
without accessing the machine’s BIOS or operating system. Since all of this
takes place covertly and the changes aren’t reflected in BIOS, the victim
remains none the wiser.
Ruytenberg also developed
another tool, called SPIblock. Using it in tandem with tfcp, he managed to
disable Thunderbolt security for good and block all future firmware updates,
all the while remaining undetected.
Thunderbolt security was
also in the spotlight last year, when a team of researchers was able to uncover
a collection of vulnerabilities they named Thunderclap. Fortunately, those could be mitigated by security
options, called “Security Levels”, that were already available at the time.
Not so much with
Thunderspy, as this attack method circumvents these security settings. On the
other hand, what does guard against it is Kernel Direct Memory Access (DMA)
protection that was introduced in 2019, as Intel states in its response to the published report.
Ruytenberg concludes that
an update won’t be enough to fix the issue: “The Thunderspy vulnerabilities
cannot be fixed in software, impact future standards such as USB 4 and
Thunderbolt 4, and will require a silicon redesign.”
If you’re worried that your
computer may be susceptible to an attack, you can use Spycheck, a tool
specifically developed by the researcher to scan for Thunderspy vulnerabilities.
To protect yourself, you shouldn’t leave your computer unattended while powered
on even if you locked the screen; the same applies to your Thunderbolt
peripherals. Ruytenberg also recommends disabling your Thunderbolt ports
entirely in BIOS, which would render them inoperable but should keep you safe.