Thunderbolt flaw allows a hacker to obtain access to a PC’s data within minutes

Image via Olesksiy Maksymenko Photography

Last month, we saw a team of researchers uncover a security flaw baked into Microsoft Teams that used GIFs to gain access to a user’s data. Now, a security researcher, Björn Ruytenberg, has uncovered a vulnerability dubbed ‘Thunderspy’ in the ubiquitous Intel Thunderbolt port. It allows a hacker with brief physical access to the device the ability to access the target’s data.

Although Thunderspy requires physical access to the device itself, it is possible even if the device is locked, encrypted, or set to sleep. Here’s a video of Ruytenberg demonstrating the entire procedure in five minutes.

Intel has responded to the report by stating that operating systems in 2019, including Windows 10 1803 RS4 and later, Linux kernel 5.x and later, and MacOS 10.12.4 and later, have implemented Kernel Direct Memory Access (DMA) protection to mitigate and prevent these attacks.

The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled.

But according to Wired, Kernal DMA has not been universally implemented and is in fact, incompatible with Thunderbolt peripherals made before 2019.

In their testing, the Eindhoven researchers could find no Dell machines that have the Kernel DMA Protection, including those from 2019 or later, and they were only able to verify that a few HP and Lenovo models from 2019 or later use it.

The researchers also noted devices running macOS are only partially affected by Thunderspy. Perhaps this is yet another reason to add to the list of why Microsoft hasn’t added Thunderbolt connectors to its Surface PCs.

Ruytenberg and his team say that to fully prevent one should disable their computer’s Thunderbolt ports from the BIOS. They should also turn off PCs when leaving them unattended, and enable hard drive encryption as well. For now, the researchers have developed an open-source tool for Linux and Windows that tells whether your PC is vulnerable to the attack. For the tool and further details, you may visit this webpage.