Thunderbolt Flaws Open the Floodgates for Hackers

What can be done in five minutes? Many things that we usually don’t bother to think about. However, in just five minutes, attackers can steal data from Thunderbolt-equipped devices.

What’s going on?

  • Known as “Thunderspy,” the cyberattack targets devices using Thunderbolt, a hardware interface built by Intel in association with Apple. 
  • According to a researcher, all the Thunderbolt-equipped devices manufactured before 2019 are vulnerable.
  • The attack cannot be traced as the attacker doesn't trick the user into using any phishing link or malicious piece of hardware.
  • Thunderspy works even if you follow robust security practices by locking your computer, setting up your device with Secure Boot, using strong BIOS and OS account passwords, or enabling full disk encryption.

Flaws in Thunderbolt protocol security measures

The researcher discovered issues in the protocol security measures of Thunderbolt, which led to the Thunderspy attacks.
  • These flaws include weak device authentication schemes, insufficient firmware verification schemes, and the use of metadata of unauthenticated devices.
  • Besides, the flaws consist of deficiencies in SPI flash interface, unauthenticated controller configurations, downgrade attacks using backward compatibility, and a lack of Thunderbolt security on Boot Camp.
  • As per the research, kernel direct memory access (DMA) protection is capable of mitigating some of the Thunderspy vulnerabilities. However, the devices manufactured before 2019 are not kernel DMA protected and are still vulnerable.

The history of Thunderbolt security

  • In 2019, researchers revealed a set of vulnerabilities collectively dubbed “Thunderclap” that left computers at risk from weaponized peripheral devices.
  • Due to Thunderbolt devices’ communication via the PCI Express (PCIe) protocol, attackers could abuse the flaw by coaxing users into connecting a legitimate but trojanized device.

Mitigation measures

  • According to the researcher, the only way to prevent Thunderspy attacks is to disable Thunderbolt ports from within BIOS.
  • Intel has asked Thunderbolt port users to check whether their systems have mitigations incorporated.
  • For all systems, the company recommends adherence to standard security practices, usage of only trusted peripherals, and avoidance of unauthorized physical access to computers.
  • As part of its security-first pledge, Intel will continue to improve Thunderbolt security.