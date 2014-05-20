from the phsyical-access-==-you-lose,-eventually dept.
Thunderspy, as its creator Björn Ruytenberg has named the attack, in most cases requires the attacker to remove the screws from the computer casing. From there, the attacker locates the Thunderbolt chip and connects a clip, which in turn is connected to a series of commodity components—priced about $600—which is connected to an attacker laptop. These devices analyze the current Thunderbolt firmware and then reflash it with a version that's largely the same except that it disables any of the Intel-developed security features that are turned on.
[...] "There are seriously tons and tons of things you can do to a PC once you open the case," says Hector Martin, an independent security researcher with extensive experience in hacking or reverse-engineering the Nintendo Wii, several generations of the Sony PlayStation, and other devices with strong defenses against physical attacks. "The evil maid threat model is interesting when you restrict it to plugging things into ports, because that can be done very quickly when e.g. the target is just looking away."
[...] Readers who are left wondering how big a threat Thunderspy poses should remember that the high bar of this attack makes it highly unlikely it will ever be actively used in real-world settings, except, perhaps, for the highest-value targets coveted by secretive spy agencies. Whichever camp has a better case, nothing will change that reality.
Attackers can steal data from Thunderbolt-equipped PCs or Linux computers, even if the computer is locked and the data encrypted, according to security researcher Björn Ruytenberg (via Wired). Using a relatively simple technique called "Thunderspy," someone with physical access to your machine could nab your data in just five minutes with a screwdriver and "easily portable hardware," he wrote.
Thunderbolt offers extremely fast transfer speeds by giving devices direct access to your PC's memory, which also creates a number of vulnerabilities. Researchers previously thought those weaknesses (dubbed Thunderclap), could be mitigated by disallowing access to untrusted devices or disabling Thunderbolt altogether but allowing DisplayPort and USB-C access.
However, Ruytenberg's attack method could get around even those settings by changing the firmware that controls the Thunderbolt port, allowing any device to access it. What's more, the hack leaves no trace, so the user would never know their PC was altered.
[...] The attack only requires about $400 worth of gear, including an SPI programmer and $200 Thunderbolt peripheral. The whole thing could be built into a single small device. "Three-letter agencies would have no problem miniaturizing this," Ruytenberg said.
Intel recently created a Thunderbolt security system called Kernel Direct Memory Access Protection that would stop Ruytenberg's Thunderspy attack. However, that protection is only available on computers made in 2019 and later, so it's lacking in any models manufactured prior to that. In addition, many PCs manufactured in 2019 and later from Dell, HP and Lenovo aren't protected, either. This vulnerability might explain why Microsoft didn't include Thunderbolt in its Surface laptops.
Apple computers running macOS are unaffected by the vulnerability unless you're running Boot Camp, according to Ruytenberg.
Intel's official response appears in this blog post.
See Spycheck to test if your system is vulnerable.
