Thunderspy: Difference between revisions

'''Thunderspy''' is a type of [[Vulnerability (computing)|security vulnerability]], based on the [[Thunderbolt (interface)|Intel Thunderbolt port]], first reported publicly on 10 May 2020, that can result in an [[Evil maid attack|evil maid]] (ie, attacker of an unattended device) attack gaining full access to a computer's information in about five minutes, and may affect millions of [[Apple Inc.|Apple]], [[Linux]] and [[Microsoft Windows|Windows]] computers, as well as any computers manufactured before 2019, and some after that.<ref name="WRD-20200510">{{cite news |last=Greenberg |first=Andy |title=Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking - The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019. |url=https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/ |date=10 May 2020 |work=[[Wired (magazine)|Wired]] |accessdate=11 May 2020 }}</ref><ref name="VRG-20200511">{{cite news |last=Porter |first=Jon |title=Thunderbolt flaw allows access to a PC’sPC's data in minutes - Affects all Thunderbolt-enabled PCs manufactured before 2019, and some after that |url=https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops |date=11 May 2020 |work=[[The Verge]] |accessdate=11 May 2020 }}</ref><ref name="FRBS-20200511">{{cite news |last=Doffman |first=Zak |title=Intel Confirms Critical New Security Problem For Windows Users |url=https://www.forbes.com/sites/zakdoffman/2020/05/11/intel-confirms-critical-security-flaw-affecting-almost-all-windows-users/ |date=11 May 2020 |work=[[Forbes]] |accessdate=11 May 2020 }}</ref><ref name="TSY-2020">{{cite news |last=Ruytenberg |first=Björn |title=Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security |url=https://thunderspy.io/ |date=2020 |work=Thunderspy.io |accessdate=11 May 2020 }}</ref><ref name="SW-20200511">{{cite news |last=Kovacs |first=Eduard |title=Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks |url=https://www.securityweek.com/thunderspy-more-thunderbolt-flaws-expose-millions-computers-attacks |date=11 May 2020 |work=SecurityWeek.com |accessdate=11 May 2020 }}</ref><ref name="TP-20200511">{{cite news |last=O'Donnell |first=Lindsey |title=Millions of Thunderbolt-Equipped Devices Open to ‘ThunderSpy’'ThunderSpy' Attack |url=https://threatpost.com/millions-thunderbolt-devices-thunderspy-attack/155620/ |date=11 May 2020 |work=ThreatPost.com |accessdate=11 May 2020 }}</ref><ref name="BN-20200511">{{cite news|last=Wyciślik-Wilson |first=Sofia |title=Thunderspy vulnerability in Thunderbolt 3 allows hackers to steal files from Windows and Linux machines |url=https://betanews.com/2020/05/11/thunderspy-security-vulnerability/ |date=11 May 2020 |work=BetaNews.com |accessdate=11 May 2020 }}</ref><ref name="SR-20200511">{{cite news |last=Gorey |first=Colm |title=Thunderspy: What you need to know about unpatchable flaw in older PCs |url=https://www.siliconrepublic.com/enterprise/thunderbolt-port-hacker-vulnerability-thunderspy |date=11 May 2020 |work=SiliconRepublic.com |accessdate=12 May 2020 }}</ref> According to Björn Ruytenberg, the discoverer of the vulnerability, "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop. All of this can be done in under five minutes."<ref name="WRD-20200510" />

The Thunderspy security vulnerabilities were first publicly reported by Björn Ruytenberg of [[Eindhoven University of Technology]] in the [[Netherlands]] on 10 May 2020.<ref name="TSY-20200417">{{cite news |last=Ruytenberg |first=Björn |title=Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020. |url=https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf |date=17 April 2020 |work=Thunderspy.io |accessdate=11 May 2020 }}</ref> Thunderspy is similar to [[Thunderclap (security vulnerability)|Thunderclap]],<ref name="TC-20190226">{{cite news |author=Staff |title=Thunderclap: Modern computers are vulnerable to malicious peripheral devices |url=http://thunderclap.io/ |date=26 February 2019 |accessdate=12 May 2020 }}</ref><ref name="VRG-20190227">{{cite news |last=Gartenberg |first=Chaim |title=‘Thunderclap’'Thunderclap' vulnerability could leave Thunderbolt computers open to attacks - Remember: don’tdon't just plug random stuff into your computer |url=https://www.theverge.com/2019/2/27/18243503/thunderclap-vulnerability-thunderbolt-computers-attack |date=27 February 2019 |work=[[The Verge]] |accessdate=12 May 2020 }}</ref> another security vulnerability, reported in 2019, that also involves access to computer files through the Thunderbolt port.<ref name="SR-20200511" />

The security vulnerability affects millions of Apple, Linux and Windows computers, as well as all computers manufactured before 2019, and some after that.<ref name="WRD-20200510" /><ref name="FRBS-20200511" /><ref name="TSY-2020" /> However, this impact is restricted mainly to how precise a bad actor would have to be to execute the attack. Physical access to a machine with a vulnerable Thunderbolt controller is necessary, as well as a writable ROM chip for the Thunderbolt controller's firmware.<ref name="TSY-2020" /> Since ROM chips can come in a BGA format, this isn't always possible.{{cn|date=May 2020}} Additionally, part of Thunderspy, specifically the portion involving re-writing the firmware of the controller, requires the device to be in sleep,<ref name="TSY-2020" /> or at least in some sort of powered-on state, to be effective.<ref name="HR-20200513">{{Cite web |last=Grey |first=Mishka |title=7 Thunderbolt Vulnerabilities Affect Millions of Devices: 'Thunderspy' Allows Physical Hacking in 5 Minutes - Do you own a Thunderbolt equipped laptop, and have bought it after 2011? Well, we’vewe've news for YOU. 7 newly discovered Intel Thunderbolt vulnerabilities have exposed your device to hackers. Learn what to do?|url=https://www.hackreports.com/7-thunderbolt-vulnerabillity-thunderspy-exploit-thunderbolt-hacked/|date=13 May 2020 |work=HackReports.com |accessdate=18 May 2020}}</ref> Since some business machines feature intrusion detection features that cause the machine to power down the moment the back cover is removed, this attack is almost impossible on secured systems.{{cn|date=May 2020}}

The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether.<ref name="WRD-20200510" /> However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines.<ref name="msdoc-kdma-protecton-for-thunderbolt">{{cite web |author=Staff |title=Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) - Microsoft 365 Security |url=https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt |date=26 March 2019 |work=Microsoft Docs |accessdate=17 May 2020 }}</ref> Intel claims enabling such features would substantially restrict the effectiveness of the attack.<ref name="intel-20200510">{{cite news |last=Jerry |first=Bryant |title=More Information on Thunderbolt(TM) Security - Technology@Intel |url=https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/ |date=10 May 2020 |accessdate=17 May 2020 }}</ref> Microsoft's official security recommendations recommend disabling sleep mode while using BitLocker.<ref>{{Cite web|url=https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-security-faq#what-are-the-implications-of-using-the-sleep-or-hibernate-power-management-options|title = BitLocker Security FAQ (Windows 10) - Windows security}}</ref> Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data.