Thunderspy: find out whether your device is vulnerable to (local) Thunderbolt security issues

Security researcher Björn Ruytenberg published a security analysis of the Thunderbolt protocol on April 17, 2020 entitled “Breaking Thunderbolt Protocol Security: Vulnerability Report”. He discovered several security vulnerabilities in the Thunderbolt protocol that may be exploited by local attackers to access all data even on systems with encrypted drives and if the computer is locked or in sleep mode.

A total of seven vulnerabilities are revealed in the analysis; these affect “all laptop and desktop systems equipped with a Thunderbolt 2 and/or Thunderbolt 3 family host controller employing Security Levels”. All Microsoft operating systems from Windows 7 to Windows 10 and all Linux kernel releases from kernel 4.13 are affected. Apple Macintosh systems are affected partially only because of additional security measures that are in place by default.

Update: Intel responded to Thunderspy stating that newer versions of Windows 10, Mac OS X and Linux supported a feature called Kernel Direct Memory Access (DMA) protection which mitigated against attacks outlined in the research paper. Microsoft published an article about this here on its Docs website. On systems running at least Windows 10 version 1803, administrators may go to Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation details > Memory access protection to verify that memory access protection is enabled; this requires a UEFI firmware support and is not compatible with other BitLocker DMA attacks countermeasures. End

All attacks require brief local access to the system but the system itself may be locked or in sleep state. The paper describes several exploitation scenarios which all require local access to the device.

A program has been created by the researcher that checks devices with Thunderbolt ports. The application is available for Windows and Linux; the Windows version may be downloaded from the Thunderspy website. It is compatible with Windows 7 and newer versions of Windows, and with Linux kernel 3.16 and Pyton 3.4 and later on Linux devices.

Spycheck prompts you to identify the ports on the device which can either be USB-C or Mini-DisplayPort with lightning symbol or without lightning symbol. Hit the next button once you have identified the correct port to have it check that port. Devices without Thunderbolt ports will show up as “not vulnerable” automatically. Suggestions are displayed on how to address the issue if a device is found to be vulnerable by the application.

The researcher created demonstration videos; the first demonstrates how to unlock Windows PCs in 5 minutes by exploiting vulnerabilities.

The second video shows how to disable all Thunderbolt security on a Windows PC permanently.

Now You: do you use devices with Thunderbolt ports? Are your devices vulnerable? (via Deskmodder)

Summary

Article Name

Thunderspy: find out whether your device is vulnerable to (local) Thunderbolt security issues

Description

Security researcher Björn Ruytenberg published a security analysis of the Thunderbolt protocol on April 17, 2020 entitled “Breaking Thunderbolt Protocol Security: Vulnerability Report”.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Advertisement