Got Thunderbolt? You Also Get Seven Thunderspy Vulnerabilities

You’ve Been … Thunderstruck!

***Update From Intel:  In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.” /Update ***   This is certainly good news for those currently using Thunderbolt, though a check via Thunderspy is still a smart idea.

If you have an Intel Thunderbolt controller in your machine, and unless you are part of a very, very small group then any Thunderbolt controller on your machine is from Intel, then there is some bad news as there are seven rather worrisome vulnerabilities you need to be aware of.  There is no real good news in this particular issue as your only real protection is to use a tool released by Eindhoven University‘s Björn Ruytenberg and his team which will confirm you are vulnerable and give you a way to completely disable Thunderbolt.  If you simply disable it normally one of the vulnerabilities is specifically crafted to enable it again.

The heart of Thunderspy is the ability to createa a compromised Thunderbolt device to be connected to your machine, whereupon it can then clone the actual user authorized Thunderbolt devices on your system to gain access to the PCIe bus and perform DMA attacks.  This does meant that the attacker needs physical access to your system but with the variety of Thunderbolt devices which can be chained together that might be a bit easier than plugging directly into a USB port.

The research details seven vulnerabilities present on Thunderbolt 1, 2, and 3 as well as nine attach vectors and they are all viable even on locked down systems.  The attacks can happily avoid Intel’s hardware based Security Levels, pre-boot protection and even any cryptographic device authentication methods tested.  One specific vulnerability is able to modify your system’s BIOS using SPI flash to employ an irrevocable, read-only update which disables Thunderbolt security; while it still says it is enabled in the BIOS when you check.

As far as they can tell, a simple firmware update is not going to be enough and a hardware redesign for the new Thunderbolt and USB controllers we are all looking forward to seeing will be required.  In the mean time you can consider using their tools to secure your system, at the cost of Thunderbolt connectivity.