Posted on May 11, 2020 at 11:30 AM

Thunderbolt Vulnerability Exposes Millions of Computers

For years, security experts have warned that it takes only a few minutes for hackers to infiltrate a computer system when they have physical access to the computer. A Dutch researcher has shown how hackers could compromise physical systems within such a small amount of time. He showed how hackers can compromise a system through Intel’s Thunderbolt flaw.

According to Björn Ruytenberg, a researcher at the Eindhoven University of Technology, the new attack method he called Thunderspy takes advantage of the vulnerability found in Thunderbolt port of millions of computers.

New attack technique exposes Thunderbolt’s vulnerability

The technique he used was effective on Thunderbolt-enabled Linux or Windows PCs manufactured before 2019. Ruytenberg can use the hacking method to bypass the login screen of a locked or sleeping computer to gain complete control of the computer.

The attack method is not too sophisticated as it can take only a few minutes to access the computer’s data after opening up the case. With this vulnerability, it has opened up an avenue for a new wave of attack for actors on physically close computers.

Ruytenberg said there is no way of patching the vulnerability now. The only thing the user can do is to disable the Thunderbolt port completely.

Thunderbolt port offers Zero security level

Security researchers have been concerned about the vulnerability issues of Intel’s Thunderbolt interface. Thunderbolt is a useful feature in computers because it provides faster data transfer speeds to external devices, as it allows more close access to the system’s memory compared to other ports. As a result, more direct contact can result in security issues, as has been exposed by Ruytenberg.

Last year, a group of researchers revealed a collection of vulnerabilities in Thunderbolt components called Thunderclap. According to the revelation, a hacker can simply plug a malicious device into the Thunderbolt port of a computer to circumvent all of its security measures.

To solve the problem, the security researchers are recommending that the users utilize a Thunderbolt security feature called “security levels”. They can turn off the Thunderbolt settings entirely or use the security feature to deny access to untrusted devices.

Once they turn off the thunderbolt feature, it would turn the Thunderbolt vulnerability port into a mere display and USB port. However, with Ruytenberg’s technique, hackers can sidestep the security settings by changing the firmware of the internal chip that controls the Thunderbolt port. The most intriguing thing is the fact that the new technique carries out this change without leaving any trace of an alteration that may be visible to the computer’s operating system.

According to Ruytenberg’s adviser on the Thunderspy research and a professor of cryptographer at Eindhoven University of Technology, Tanja Lange, Intel designed a security wall against Thunderbolt attacks. But Ruytenberg’s program has scaled through all those barriers.

A preventive method is available, but not enough

After Thunderclap’s research last year, Intel set up a security system referred to as Kernel Direct Memory Access Protection. The main goal of the security platform is to block  Ruytenberg’s Thunderspy attack. However, the security is quite limited because it does not provide cover for systems manufactured before 2019.

Since there are millions of the older systems in active use, it means the Thunderspy attack could be very effective if hackers managed to replicate it. However, this vulnerability is not effective on macOS but only on Linux or Windows PCs.

Ruytenberg is also developing a software that could verify whether a particular system is vulnerable to the attack and if the Kernal DMA protection can be used effectively on the system.

Ruytenberg’s Thunderbolt attack process requires the individual to unscrew the laptop’s bottom panel to make the Thunderbolt controller easily accessible. Afterward, they can attach an SPI programmer device using a SOP8 clip. With the SPI programmer, the hacker can rewrite the chip’s firmware which ultimately bypasses the security measures and granting full access to the hacker.

Ruytenberg said after analyzing the firmware, he discovered that it is made up of the controller’s security state.

He said he, “developed methods to change that security state to ‘none.’

As Ruytenberg also pointed out, the hacker can connect a device into the Thunderbolt port to completely disable the lock screen. He further stated that he built the system for $400. But a more financially buoyant funder can repackage the entire system into a small unit with less than $10,000.