Thunderspy: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 12:04, 16 May 2020 edit Drbogdan (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers, Rollbackers 90,442 edits m →Mitigation: adj ← Previous edit		Latest revision as of 12:11, 23 December 2024 edit undo Nyxion303 (talk \| contribs) Extended confirmed users 8,458 edits Rescuing 12 sources and tagging 0 as dead.) #IABot (v2.0.9.5 Tag: IABotManagementConsole [1.3]
(27 intermediate revisions by 16 users not shown)
Line 1: {{~~short~~Short description\|~~security~~Security vulnerability}} {{use dmy dates\|date=May 2020\|cs1-dates=n}} {{Infobox bug Line 9: \| patched = 2019 via [[DMA attack\|Kernel DMA Protection]] \| discoverer = Björn Ruytenberg \| affected hardware = Computers manufactured before 2019, and some after that, having the [[Thunderbolt (interface)\|Intel Thunderbolt 3 (and below) port]].<ref name="WRD-20200510" /> \| website = {{URL\|thunderspy.io}} }} '''Thunderspy''' is a type of [[Vulnerability (computing)\|security vulnerability]], based on the [[Thunderbolt (interface)\|Intel Thunderbolt 3 port]], first reported publicly on 10 May 2020, that can result in an [[Evil maid attack\|evil maid]] (iei.e., attacker of an unattended device) attack gaining full access to a computer's information in about five minutes, and may affect millions of [[Apple Inc.\|Apple]], [[Linux]] and [[Microsoft Windows\|Windows]] computers, as well as any computers manufactured before 2019, and some after that.<ref name="WRD-20200510">{{cite ~~news~~magazine \|last=Greenberg \|first=Andy \|title=Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking - The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019. \|url=https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/ \|date=10 May 2020 \|~~work~~magazine=[[Wired (magazine)\|Wired]] \|accessdate=11 May 2020 \|archive-date=11 May 2020 \|archive-url=https://web.archive.org/web/20200511010343/https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/ \|url-status=live }}</ref><ref name="VRG-20200511">{{cite news \|last=Porter \|first=Jon \|title=Thunderbolt flaw allows access to a ~~PC’s~~PC's data in minutes - Affects all Thunderbolt-enabled PCs manufactured before 2019, and some after that \|url=https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops \|date=11 May 2020 \|work=[[The Verge]] \|accessdate=11 May 2020 \|archive-date=11 May 2020 \|archive-url=https://web.archive.org/web/20200511192653/https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops \|url-status=live }}</ref><ref name="FRBS-20200511">{{cite news \|last=Doffman \|first=Zak \|title=Intel Confirms Critical New Security Problem For Windows Users \|url=https://www.forbes.com/sites/zakdoffman/2020/05/11/intel-confirms-critical-security-flaw-affecting-almost-all-windows-users/ \|date=11 May 2020 \|work=[[Forbes]] \|accessdate=11 May 2020 \|archive-date=12 May 2020 \|archive-url=https://web.archive.org/web/20200512213846/https://www.forbes.com/sites/zakdoffman/2020/05/11/intel-confirms-critical-security-flaw-affecting-almost-all-windows-users/ \|url-status=live }}</ref><ref name="TSY-2020">{{cite news \|last=Ruytenberg \|first=Björn \|title=Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security \|url=https://thunderspy.io/ \|date=2020 \|work=Thunderspy.io \|accessdate=11 May 2020 \|archive-date=11 May 2020 \|archive-url=https://web.archive.org/web/20200511012316/https://thunderspy.io/ \|url-status=live }}</ref><ref name="SW-20200511">{{cite news \|last=Kovacs \|first=Eduard \|title=Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks \|url=https://www.securityweek.com/thunderspy-more-thunderbolt-flaws-expose-millions-computers-attacks \|date=11 May 2020 \|work=SecurityWeek.com \|accessdate=11 May 2020 }}</ref><ref name="TP-20200511">{{cite news \|last=O'Donnell \|first=Lindsey \|title=Millions of Thunderbolt-Equipped Devices Open to ~~‘ThunderSpy’~~'ThunderSpy' Attack \|url=https://threatpost.com/millions-thunderbolt-devices-thunderspy-attack/155620/ \|date=11 May 2020 \|work=ThreatPost.com \|accessdate=11 May 2020 \|archive-date=11 May 2020 \|archive-url=https://web.archive.org/web/20200511205240/https://threatpost.com/millions-thunderbolt-devices-thunderspy-attack/155620/ \|url-status=live }}</ref><ref name="BN-20200511">{{cite news \|last=Wyciślik-Wilson \|first=~~Mark~~Sofia \|title=Thunderspy vulnerability in Thunderbolt 3 allows hackers to steal files from Windows and Linux machines \|url=https://betanews.com/2020/05/11/thunderspy-security-vulnerability/ \|date=11 May 2020 \|work=BetaNews.com \|accessdate=11 May 2020 \|archive-date=11 May 2020 \|archive-url=https://web.archive.org/web/20200511142121/https://betanews.com/2020/05/11/thunderspy-security-vulnerability/ \|url-status=live }}</ref><ref name="SR-20200511">{{cite news \|last=Gorey \|first=Colm \|title=Thunderspy: What you need to know about unpatchable flaw in older PCs \|url=https://www.siliconrepublic.com/enterprise/thunderbolt-port-hacker-vulnerability-thunderspy \|date=11 May 2020 \|work=SiliconRepublic.com \|accessdate=12 May 2020 \|archive-date=18 May 2020 \|archive-url=https://web.archive.org/web/20200518045250/https://www.siliconrepublic.com/enterprise/thunderbolt-port-hacker-vulnerability-thunderspy \|url-status=live }}</ref> According to Björn Ruytenberg., the discoverer of the vulnerability, "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop. All of this can be done in under five minutes."<ref name="WRD-20200510" /> The malicious firmware is used to clone device identities which makes classical DMA attack possible.<ref name="TSY-2020"/> == History == The Thunderspy security vulnerabilities were first publicly reported by Björn Ruytenberg of [[Eindhoven University of Technology]] in the [[Netherlands]] on 10 May 2020.<ref name="TSY-20200417">{{cite news \|last=Ruytenberg \|first=Björn \|title=Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020. \|url=https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf \|date=17 April 2020 \|work=Thunderspy.io \|accessdate=11 May 2020 \|archive-date=11 May 2020 \|archive-url=https://web.archive.org/web/20200511032830/https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf \|url-status=live }}</ref> Thunderspy is similar to [[Thunderclap (security vulnerability)\|Thunderclap]],<ref name="TC-20190226">{{cite news \|author=Staff \|title=Thunderclap: Modern computers are vulnerable to malicious peripheral devices \|url=http://thunderclap.io/ \|date=26 February 2019 \|accessdate=12 May 2020 }}</ref><ref name="VRG-20190227">{{cite news \|last=Gartenberg \|first=Chaim \|title=~~‘Thunderclap’~~'Thunderclap' vulnerability could leave Thunderbolt computers open to attacks - Remember: ~~don’t~~don't just plug random stuff into your computer \|url=https://www.theverge.com/2019/2/27/18243503/thunderclap-vulnerability-thunderbolt-computers-attack \|date=27 February 2019 \|work=[[The Verge]] \|accessdate=12 May 2020 }}</ref> another security vulnerability, reported in 2019, that also involves access to computer files through the Thunderbolt port.<ref name="SR-20200511" /> == Impact == {{more citations needed\|section\|date=May 2020}} The security vulnerability ~~may affect~~affects millions of Apple, Linux and Windows computers, as well as ~~any~~all computers manufactured before 2019, and some after that.<ref name="WRD-20200510" /><ref name="FRBS-20200511" /><ref name="TSY-2020" /> However, this impact is restricted mainly ~~due~~ to how precise a bad actor would have to be to execute the attack. Physical access to a machine with a vulnerable Thunderbolt controller is necessary, as well as a writable ROM chip for the Thunderbolt controller's firmware.<ref name="TSY-2020" /> ~~Since ROM chips can come in a BGA format, this isn't always possible.~~ Additionally, part of Thunderspy, specifically the portion involving re-writing of the firmware of the controller, requires the device to be in sleep,<ref name="TSY-2020" /> or at least in some sort of powered-on state, to be effective.<ref name="HR-20200513">{{cnCite web \|~~date~~last=~~May~~Grey ~~2020}}~~\|first=Mishka As\|title=7 ~~some~~Thunderbolt ~~business~~Vulnerabilities ~~machines~~Affect ~~feature~~Millions ~~intrusion~~of ~~detection~~Devices: ~~features~~'Thunderspy' ~~that~~Allows ~~cause~~Physical ~~the~~Hacking ~~machine~~in to5 ~~power~~Minutes ~~down~~- ~~the~~Do ~~moment~~you ~~the~~own ~~back~~a ~~cover~~Thunderbolt isequipped ~~removed~~laptop, ~~this~~and ~~attack~~have isbought ~~almost~~it ~~impossible~~after on2011? ~~secured~~Well, ~~systems~~we've news for YOU.~~{{cn~~ 7 newly discovered Intel Thunderbolt vulnerabilities have exposed your device to hackers. Learn what to do? \|url=https://www.hackreports.com/7-thunderbolt-vulnerabillity-thunderspy-exploit-thunderbolt-hacked/ \|date=13 May 2020 \|work=HackReports.com \|accessdate=18 May 2020 \|archive-date=4 August 2020 \|archive-url=https://web.archive.org/web/20200804174216/https://www.hackreports.com/7-thunderbolt-vulnerabillity-thunderspy-exploit-thunderbolt-hacked/ \|url-status=live }}</ref> Machines that force power-off when the case is open may assist in resisting this attack to the extent that the feature (switch) itself resists tampering. Due to the nature of attacks that require extended, physical access to hardware, it's unlikely the attack will affect users outside of a business or government environment.<ref name="HR-20200513" /><ref name="YT-20200511">{{cite news \|author=codeHusky \|title=Video (11:01) - Thunderspy is nothing to worry about - Here's why \|url=https://www.youtube.com/watch?v=c9Z3hQh0NxY \|date=11 May 2020 \|work=[[YouTube]] \|accessdate=12 May 2020 ~~}}</ref>{{cn~~\|archive-date=~~May~~19 June 2020 \|archive-url=https://web.archive.org/web/20200619195525/https://www.youtube.com/watch?v=c9Z3hQh0NxY&gl=US&hl=en \|url-status=live }}</ref> == Mitigation == The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether.<ref name="WRD-20200510" /> However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines.<ref name="msdoc-kdma-protecton-for-thunderbolt">{{cite web \|author=Staff \|title=Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) - Microsoft 365 Security \|url=https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt \|date=26 March 2019 \|work=Microsoft Docs \|accessdate=17 May 2020 \|archive-date=22 April 2020 \|archive-url=https://web.archive.org/web/20200422022727/https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt \|url-status=live }}</ref> Intel claims enabling such features would substantially restrict the effectiveness of the attack.<ref name="intel-20200510">{{cite news \|last=Jerry \|first=Bryant \|title=More Information on Thunderbolt(TM) Security - Technology@Intel \|url=https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/ \|date=10 May 2020 \|accessdate=17 May 2020 \|archive-date=15 May 2020 \|archive-url=https://web.archive.org/web/20200515131640/https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/ \|url-status=live }}</ref> Microsoft's official security recommendations recommend disabling sleep mode while using BitLocker.<ref>{{Cite web\|url=https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-security-faq#what-are-the-implications-of-using-the-sleep-or-hibernate-power-management-options\|title = BitLocker Security FAQ (Windows 10) - Windows security}}</ref> Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data. ~~{{more citations needed\|section\|date=May 2020}}~~ The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether.<ref name="WRD-20200510" /> However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines.{{cn\|date=May 2020}} Enabling such features would substantially restrict the effectiveness of the attack.{{cn\|date=May 2020}} == References == Line 38 ⟶ 39: [[Category:Computer security]] [[Category:2020 in ~~computer science~~computing]]