A very new vulnerability has been discovered in Thunderbolt-equipped devices. It just takes 5 minutes for an attacker to launch a new data-stealing attack called “Thunderspy.” The fresh attack enables threat actors to steal user credentials from Windows or Linux devices equipped with Thunderbolt ports.
The attack, mainly known as “Thunderspy,” targets Thunderbolt technology explicitly. It is a hardware interface manufactured by Intel Corporation in collaboration with Apple) that allows users to merge data transfer, charging, and video peripherals into a single connector. Apple had launched the Thunderbolt ports on its merchandise( MacBook Pro) in 2011. Observing the success of ThunderBolt ports, the technology was then widely adopted with varying PCs such as Dell, HP, and Lenovo. Investigators say that “ Estimately all the Thunderbolt-equipped devices which were manufactured before 2019 are vulnerable that puts the integrity of millions of devices at risk.”
Insights of Thunderbolt vulnerability:
Since vulnerability is prone to tangible ports so as to launch the Thunderspy attack, one would need physical access to the device. However, the attack can be driven in minutes. Besides, the attack mainly involves the use of a Thunderbolt-equipped computer, a screwdriver, and some portable hardware. Once the attack is formulated, then Intruders bypass security measures and gain access to user data, irrespective of the state of the device.
“Thunderspy is stealth, meaning that you simply cannot find any traces of the attack. It doesn’t require your involvement, i.e., there’s no phishing link or malicious piece of hardware that the attacker tricks you into using,” said Björn Ruytenberg, a security researcher who is currently a student at the Eindhoven University of Technology, in a Sunday post.
Thunderspy works on the principle to void the best security practices by locking or suspending your computer when leaving briefly, and if your supervisor has found out the device with Secure Boot, strong BIOS and OS account passwords, and enabled full disk encryption.
The methodology of the attack!
Based on the violation of the security flaws to Thunderbolt protocol security measures, the Security analyst has developed possible nine attack scenarios. Those potential threats and vulnerabilities are exploited by a malicious entity to access victims’ systems. Ruytenberg demonstrated the attack via video tutorial on one of the Thunderspy attacks that could be launched in minutes. He was able to propagate the attack using a screwdriver, a Serial Peripheral Interface (SPI) programmer device, and a Thunderbolt peripheral. Evidently, An SPI device is an interface bus usually used to transfer data within microcontrollers and small peripherals.
In the video mentioned above, he showed that it is not a big deal to gauge the attack; One just needs to unscrew the bottom panel of a Thunderbolt-equipped ThinkPad to access the main central controller. Afterwards, attach the SPI programmer device using a SOP8 clip, which is normally a piece of hardware that connects to controllers’ pins. Moreover, to disable the security settings, the SPI programmer can then rewrite the firmware of the chip that allows the attacker to log into the device in about five minutes.
Disclosure to Enterprises.
All the security flaws were disclosed to intel on Feb 10. Security personnel at Intel told that the researchers were aware of the weaknesses and but couldn’t issue further mitigations because of the kernel DMA protection. By the time Intel has listed only five companies that they would inform, Ruytenberg said. However, researchers said 11 more OEM/ODMs and the Linux kernel security team needed to be notified.
“Eventually, they notified us that they informed some parties on 25 March about the vulnerabilities and upcoming disclosure, without giving us details of what this information consisted of and whom exactly they contacted.“We reached out to several more parties after realizing that Intel had skipped them.”,” said Ruytenberg.
Further, the Thunderbolt port users are advised to check their system operators and resolve whether their system has moderations consolidated.
Any fixes for Thunderbolt?
Digital signatures of the vulnerability have not been identified by Intel, neither have issued CVE identifiers for Thunderspy. Despite the repeated efforts, Intel is not able to mitigate the Thunderspy vulnerabilities on the existing products in the market. Observing the analogy of Thunderspy, it is believed that it cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections. Besides, Apple also has determined upon administering a patch for Thunderspy.
