Thunderbolt flaw lets hackers steal your data in 'five minutes'

Attackers with access can grab encrypted data even if you lock your PC.

By Haotian0905 - Own work, CC BY-SA 3.0

Attackers can steal data from Thunderbolt-equipped PCs or Linux computers, even if the computer is locked and the data encrypted, according to security researcher Björn Ruytenberg (via Wired). Using a relatively simple technique called “Thunderspy,” someone with physical access to your machine could nab your data in just five minutes with a screwdriver and “easily portable hardware,” he wrote.

Thunderbolt offers extremely fast transfer speeds by giving devices direct access to your PC’s memory, which also creates a number of vulnerabilities. Researchers previously thought those weaknesses (dubbed Thunderclap), could be mitigated by disallowing access to untrusted devices or disabling Thunderbolt altogether but allowing DisplayPort and USB-C access.

However, Ruytenberg’s attack method could get around even those settings by changing the firmware that controls the Thunderbolt port, allowing any device to access it. What’s more, the hack leaves no trace, so the user would never know their PC was altered.

If you intend to use Thunderbolt connectivity, we strongly recommend to: Connect only your own Thunderbolt peripherals; never lend them to anybody; avoid leaving your system unattended while powered on, even when screenlocked; avoid leaving your Thunderbolt peripherals unattended; ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays; consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).

He developed something called an “evil maid attack” in reference to an attacker who gets physical access to a PC in a hotel room, for instance. "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," Ruytenberg told Wired. "All of this can be done in under five minutes."

The attack only requires about $400 worth of gear, including an SPI programmer and $200 Thunderbolt peripheral. The whole thing could be built into a single small device. “Three-letter agencies would have no problem miniaturizing this,” Ruytenberg said.

Intel recently created a Thunderbolt security system called Kernel Direct Memory Access Protection that would stop Ruytenberg’s Thunderspy attack. However, that protection is only available on computers made in 2019 and later, so it’s lacking in any models manufactured prior to that. In addition, many PCs manufactured in 2019 and later from Dell, HP and Lenovo aren’t protected, either. This vulnerability might explain why Microsoft didn’t include Thunderbolt in its Surface laptops.

Apple computers running macOS are unaffected by the vulnerability unless you’re running Boot Camp, according to Ruytenberg.

The researchers disclosed the vulnerabilities to Intel on February 10th, 2020, and to Apple on April 17th. To find out if you’re vulnerable, they created a verification tool called Spycheck. To protect yourself, you should “avoid leaving your system unattended while powered on, even if screenlocked,” Ruytenberg wrote, avoid using sleep mode and ensure the physical security of your Thunderbolt peripherals.

Update 5/11/2020 3:13 PM ET: Intel has confirmed that the attack doesn’t work on computers that do have Kernal DMA protection enabled. “This attack could not be successfully demonstrated on systems with Kernel DMA protection enabled. As always, we encourage everyone to follow good security practices, including preventing unauthorized physical access to computers,” a spokesperson told Engadget in a statement. In addition, Intel has released a blog post giving its own perspective on the issue.

Update 5/12/2020 4:10 AM ET: A Dell spokesperson told Engadget that “Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled. This offers protection from “Thunderspy” per Intel guidance.”