XaiJu
dtns
dtns

patreon


Thunderbolt Vulnerability Explained - Threatwire

Added 2020-05-12 19:42:29 +0000 UTC

Some big news surfaced yesterday in regards to Thunderbolt security. A researcher from Eindhoven University of Technology discovered a vulnerability within thunderbolt ports that could let an attacker with physical access, read and copy data even if the drive is encrypted and the computer is locked or asleep. Dubbed Thunderspy, it requires no interaction from the user, and it leaves no traces after the attack has commenced. 

According to a published site dedicated to the vulnerabilities, this attack would take about five minutes to occur on Windows or Linux environments. An attacker can use simple, off the shelf components costing a few hundred bucks to take advantage of these issues. To demo this attack, the researcher used a Lenovo ThinkPad laptop, showing that it’s running Windows 10 but is locked. They removed the backplate to the laptop, clipped components to the interior of the Thunderbolt 3 port, and connected this to their attacker PC to run a payload. This payload disables the security implemented on the victim machine and logs in like they had the password. It’s basically an "evil maid" attack, letting an attacker steal data even when a system is locked. While it does require quite a bit of physical access, like most likely requiring an attacker to remove the backplate, it leaves no trace because it requires no network activity.

Why does this occur? Intel’s thunderbolt technology uses direct access to a machine’s memory for faster transfer speeds. They work at a low level but with high privileged access, so connected peripherals bypass OS security policies and directly read and write to the memory. Direct Memory Access, or DMA for short, are attacks that take advantage of this, and seven total vulnerabilities allow for Thunderspy to occur. These include inadequate firmware verification schemes, no Thunderbolt security of boot camp, unauthenticated device metadata, and more. 

Intel responded to this flaw, saying that the underlying vulnerability isn’t anything new and was addressed in OS releases last year, called the Kernel Direct Memory Access protection. But if those mitigations are not enabled or if a device isn’t newer than a computer made in 2019, the new Thunderspy physical attack vector works. This mitigation was enabled in Windows 10 1803 RS4 and later, Linux kernel 5 and later, and MacOS 10.12.4 and later versions. Intel also noted that this attack wasn’t demonstrated on systems with the Kernel Direct Memory Access enabled, which would be machines made within the last year or so.  Unfortunately, not all machines have Kernel DMA protection, so the researcher has released a tool on their website called Spycheck to verify if your machine is vulnerable, and whether or not you can enable Kernel DMA protections.  

The researcher suggests disabling thunderbolt ports in the BIOS, enabling hard drive encryption, and turning off the computer when it’s unattended to mitigate the problem. Another mitigation is to enable “security levels” which can disallow untrusted devices, and do not allow folks to borrow your Thunderbolt devices or peripherals, also, just don’t leave them unattended. 

The device used in the demo is pretty obvious and would likely not be used in a public setting, like a hotel lobby or a coffee house - but “evil maid” attacks could take place on unattended machines in hotel rooms or private offices, and an entity with funding could potentially turn this attack into a very small device with some manufacturing.

Via Joel:

https://thunderspy.io/

https://www.youtube.com/watch?v=7uvSZA1F9os&feature=emb_title

https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops

https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+IntelTechnology+%28Technology%40Intel%29#gs.5ql50o

https://thehackernews.com/2020/05/thunderbolt-vulnerabilities.html

https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/

https://www.cnet.com/news/thunderbolt-flaws-may-leave-pcs-vulnerable-to-physical-hacks/

Support me on alternative platforms! https://snubsie.com/support

Shop ThreatWire Merch! - https://snubsie.com/shop

https://www.youtube.com/shannonmorse --  subscribe to my tech channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire 

Check out my new video about the last active Morse Code Radio Station in the US - https://www.youtube.com/watch?v=UPTzvciqgJ0  


More Creators

yackimas

yackimas

 fanbox
holeecrab

holeecrab

 patreon
Girls_Daily

Girls_Daily

 fanbox
kori

kori

 gumroad
バイシオン

バイシオン

 fanbox
MaiR(メア)

MaiR(メア)

 fanbox
Kaiser and Dorian:Gainer Bros

Kaiser and Dorian:Gainer Bros

 patreon
🔞skwidbone🔞

🔞skwidbone🔞

 gumroad
silvercoin

silvercoin

 fanbox
MotionDesignersCommunity

MotionDesignersCommunity

 patreon
Mutant516Art

Mutant516Art

 patreon
鶸虫

鶸虫

 fanbox
スイフト

スイフト

 fanbox
isolatedartest

isolatedartest

 patreon
Dagon

Dagon

 gumroad
waifusregion

waifusregion

 patreon
MaliciousBane

MaliciousBane

 patreon
atelier skittles

atelier skittles

 fanbox
夜知

夜知

 fanbox
Perfectly Generic Podcast

Perfectly Generic Podcast

 patreon
Excelsior0

Excelsior0

 patreon
Werethrope

Werethrope

 patreon
AntonelaChan

AntonelaChan

 patreon
ppuggu

ppuggu

 patreon
Sinclair Lore

Sinclair Lore

 patreon
MommyGymGum

MommyGymGum

 patreon
Emik01

Emik01

 patreon
Noyr_

Noyr_

 patreon
きしまん

きしまん

 fanbox
La Passion

La Passion

 gumroad
AYA

AYA

 fanbox
MadnessMunchies

MadnessMunchies

 patreon
SantoAI

SantoAI

 patreon
starri

starri

 patreon
Nick Winn

Nick Winn

 gumroad
Nezgot

Nezgot

 patreon
simphonia

simphonia

 fanbox
markusterceroec

markusterceroec

 patreon
TheCriticalDrinker

TheCriticalDrinker

 patreon
emberwick

emberwick

 patreon