Thunderspy (security vulnerability)
A logo created for the vulnerability, featuring an image of a spy
|Date discovered||May 2020|
|Date patched||2019 via Kernel DMA Protection|
|Affected hardware||Computers manufactured before 2019, and some after that, having the Intel Thunderbolt port.|
Thunderspy is a type of security vulnerability, based on the Intel Thunderbolt port, first reported publicly on 10 May 2020, that can result in an evil maid (ie, attacker of an unattended device) attack gaining full access to a computer's information in about five minutes, and may affect millions of Apple, Linux and Windows computers, as well as any computers manufactured before 2019, and some after that. According to Björn Ruytenberg. the discoverer of the vulnerability, "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop. All of this can be done in under five minutes."
The Thunderspy security vulnerabilities were first publicly reported by Björn Ruytenberg of Eindhoven University of Technology in the Netherlands on 10 May 2020. Thunderspy is similar to Thunderclap, another security vulnerability, reported in 2019, that also involves access to computer files through the Thunderbolt port.
This section needs additional citations for verification. (May 2020) (Learn how and when to remove this template message)
The security vulnerability affects millions of Apple, Linux and Windows computers, as well as all computers manufactured before 2019, and some after that. However, this impact is restricted mainly to how precise a bad actor would have to be to execute the attack. Physical access to a machine with a vulnerable Thunderbolt controller is necessary, as well as a writable ROM chip for the Thunderbolt controller's firmware. Since ROM chips can come in a BGA format, this isn't always possible. Additionally, part of Thunderspy, specifically the portion involving re-writing the firmware of the controller, requires the device to be in sleep, or at least in some sort of powered-on state, to be effective. Since some business machines feature intrusion detection features that cause the machine to power down the moment the back cover is removed, this attack is almost impossible on secured systems.
The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether. However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines. Intel claim enabling such features would substantially restrict the effectiveness of the attack. Microsoft's official security recommendations recommend disabling sleep mode while using BitLocker. Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data.
- Greenberg, Andy (10 May 2020). "Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking - The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019". Wired. Retrieved 11 May 2020.
- Porter, Jon (11 May 2020). "Thunderbolt flaw allows access to a PC's data in minutes - Affects all Thunderbolt-enabled PCs manufactured before 2019, and some after that". The Verge. Retrieved 11 May 2020.
- Doffman, Zak (11 May 2020). "Intel Confirms Critical New Security Problem For Windows Users". Forbes. Retrieved 11 May 2020.
- Ruytenberg, Björn (2020). "Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security". Thunderspy.io. Retrieved 11 May 2020.
- Kovacs, Eduard (11 May 2020). "Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks". SecurityWeek.com. Retrieved 11 May 2020.
- O'Donnell, Lindsey (11 May 2020). "Millions of Thunderbolt-Equipped Devices Open to 'ThunderSpy' Attack". ThreatPost.com. Retrieved 11 May 2020.
- Wyciślik-Wilson, Mark (11 May 2020). "Thunderspy vulnerability in Thunderbolt 3 allows hackers to steal files from Windows and Linux machines". BetaNews.com. Retrieved 11 May 2020.
- Gorey, Colm (11 May 2020). "Thunderspy: What you need to know about unpatchable flaw in older PCs". SiliconRepublic.com. Retrieved 12 May 2020.
- Ruytenberg, Björn (17 April 2020). "Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020" (PDF). Thunderspy.io. Retrieved 11 May 2020.
- Staff (26 February 2019). "Thunderclap: Modern computers are vulnerable to malicious peripheral devices". Retrieved 12 May 2020.
- Gartenberg, Chaim (27 February 2019). "'Thunderclap' vulnerability could leave Thunderbolt computers open to attacks - Remember: don't just plug random stuff into your computer". The Verge. Retrieved 12 May 2020.
- Grey, Mishka (13 May 2020). "7 Thunderbolt Vulnerabilities Affect Millions of Devices: 'Thunderspy' Allows Physical Hacking in 5 Minutes - Do you own a Thunderbolt equipped laptop, and have bought it after 2011? Well, we've news for YOU. 7 newly discovered Intel Thunderbolt vulnerabilities have exposed your device to hackers. Learn what to do?". HackReports.com. Retrieved 18 May 2020.
- codeHusky (11 May 2020). "Video (11:01) - Thunderspy is nothing to worry about - Here's why". YouTube. Retrieved 12 May 2020.
- Staff (26 March 2019). "Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) - Microsoft 365 Security". Microsoft Docs. Retrieved 17 May 2020.
- Jerry, Bryant (10 May 2020). "More Information on Thunderbolt(TM) Security - Technology@Intel". Retrieved 17 May 2020.