Eindhoven security researchers find fatal vulnerabilities in Thunderbolt
The weaknesses allow hackers unobserved access to millions of computers.
A TU/e master student has found fatal flaws in the security of Thunderbolt, a popular technology developed by Intel and Apple to quickly transfer data to and from a computer. The research shows that a hacker can easily get around the protections put in place by Intel to prevent malicious attacks. The vulnerabilities affect millions of computers and laptops. Intel has so far not provided any effective solution for these devices. Master student Björn Ruytenberg and his supervisors from the faculty of Mathematics and Computer Science recommend that all users who have Thunderbolt on their systems disable the functionality.
Update 7 August 2020
In response to Thunderspy, Intel stated that some systems produced after 2019 are safe by default and failed to fix older systems, some less than a year old. This left tens of millions of computer users out in the cold.
Considering it his responsibility to help these people, Ruytenberg set out to develop a user-focused mitigation for the Thunderspy vulnerability. On 7 August, and coinciding with BlackHat USA2020, a major security conference, Ruytenberg presented Thunderspy 2, providing a patch to the older systems. You can find all the details and downloads at this webpage. For more on his presentation at BlackHat USA2020, check out this page.
Thunderbolt is a computer port that allows for high-speed data transmission between a PC or laptop and other devices, such as hard drives. The technology is found in tens or hundreds of millions of devices worldwide. Almost every new laptop and desktop computer since 2011 is shipping with Thunderbolt. The port can be recognized by the small flash symbol.
Intel claims that access through Thunderbolt is protected by cryptography, which should prevent all but the best-funded adversaries from getting unauthorized access. “However”, says Ruytenberg, "to my surprise there was essentially nothing resembling modern cryptography. The little I found I could easily break or bypass."
Ruytenberg found seven vulnerabilities in Intel’s design and developed nine realistic scenarios (collectively known as Thunderspy) for how these could be exploited by a malicious party. Thunderspy does not require any action by the victim, such as inadvertently connecting malicious devices or installing untrusted software.
All the attacker needs is five minutes alone with the computer, a screwdriver, and some easily portable hardware. Once they are in, they can read and copy all data, even if the drive is encrypted and the computer is locked or set to sleep. Thunderspy is also stealthy: it leaves no traces of the attack.
Professor Tanja Lange, who together with PhD student Jacob Appelbaum supervised the master thesis, says the research fills important gaps of existing knowledge about the Thunderbolt protocol. “Björn has researched how the security mechanisms of Thunderbolt work and how Intel tries to stop unauthorized access to data on the computer. His findings have exposed vulnerabilities that threaten virtually every computer that has a Thunderbolt port and runs Windows or Linux."
Appelbaum says Ruytenberg is an extremely driven and talented student. “It is always gratifying when master students reach research level.”
The TU/e research team contacted Intel about the findings in February. The company has since confirmed the vulnerabilities. Unfortunately, the only solution offered by Intel so far has been Kernel DMA Protection. This feature protects against some of the vulnerabilties in Thunderbolt, but it has as only been available since 2019 and only on a limited number of PCs and laptops. And, because Kernel DMA Protection requires hardware support, it cannot be retrofitted to older systems. Every Thunderbolt-enabled system produced before 2019 and the majority of systems since –- almost a full decade of deployed devices –- will receive no patch or update.
Check your computer
So what does this mean for your device? Ruytenberg recommends that all users of PCs and laptops download Spycheck, a special tool he developed that can check whether they are affected. Spycheck will guide users to recommendations on how to help protect their system. One of the solutions Ruytenberg proposes, is disabling Thunderbolt completely in the BIOS settings of the device. He says it is also wise not to leave any Thunderbolt-enabled system unattended even just for five minutes.
- Thunderspy site
- YouTube-clip demonstrating attack exploiting Thunderspy vulnerability
- BlackHat2020 presentation slides
- Wired article