A new attack method enables bad actors to access data on a locked computer via an evil maid attack within 5 minutes
Millions of computers sporting Intel’s Thunderbolt ports are open to hands-on hacking attempts due to vulnerabilities in this hardware interface, according to research by Björn Ruytenberg, a security researcher at Eindhoven University of Technology in The Netherlands. Dubbed Thunderspy, the attack method affects Thunderbolt-equipped machines manufactured between 2011 and 2020 and is a concern with machines running any of the three major operating systems – Windows, Linux and, to a lesser extent, macOS.
To snatch data from a PC through a so-called evil maid attack, all a bad actor would need is a few minutes, physical access to the device, and some off-the-shelf equipment. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenberg told Wired, adding that the whole process could be managed within five minutes. A total of 7 vulnerabilities were found to affect Thunderbolt versions 1 through 3 and they’re all listed out in detail in the research paper.
The attack method works even if you follow cybersecurity best practices, such as locking your computer when stepping out for a moment and using strong passwords and measures such as full disk encryption. Above all, the attack leaves no traces.
As a proof of concept, Ruytenberg developed a firmware patching toolkit called Thunderbolt Controller Firmware Patcher (tcfp), which allows him to disable Thunderbolt security without accessing the machine’s BIOS or operating system. Since all of this takes place covertly and the changes aren’t reflected in BIOS, the victim remains none the wiser.
Ruytenberg also developed another tool, called SPIblock. Using it in tandem with tfcp, he managed to disable Thunderbolt security for good and block all future firmware updates, all the while remaining undetected.
Thunderbolt security was also in the spotlight last year, when a team of researchers was able to uncover a collection of vulnerabilities they named Thunderclap. Fortunately, those could be mitigated by security options, called “Security Levels”, that were already available at the time.
Not so much with Thunderspy, as this attack method circumvents these security settings. On the other hand, what does guard against it is Kernel Direct Memory Access (DMA) protection that was introduced in 2019, as Intel states in its response to the published report.
Ruytenberg concludes that an update won’t be enough to fix the issue: “The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign.”
If you’re worried that your computer may be susceptible to an attack, you can use Spycheck, a tool specifically developed by the researcher to scan for Thunderspy vulnerabilities. To protect yourself, you shouldn’t leave your computer unattended while powered on even if you locked the screen; the same applies to your Thunderbolt peripherals. Ruytenberg also recommends disabling your Thunderbolt ports entirely in BIOS, which would render them inoperable but should keep you safe.