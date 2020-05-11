Monday, May 11, 2020
Any computer manufactured before 2019 with this connection, in danger

By Brian Adam
thunderbolt 3

When we think of malware or one vulnerability, we think that the failure may be in some software elements, such as a vulnerability present in the operating system. However, a group of researchers has just found a vulnerability in one of the best and most versatile connectors on the market.

 

We talk about Thunderbolt, the Intel interface it uses USB Type C as a connector in its most recent version, and of which Apple has spoken so much by including the only port on its laptops. There are currently millions of computers using it, and all of those made before 2019 are vulnerable to an attack called Thunderspy.

Thunderspy: almost any Thunderbolt 3 computer is insecure

This is what the researcher Björn Rutenberg, from the Technical University of Eindhoven, has named it, where computers with Windows or Linux before 2019 (and many later) have a vulnerability that allows skipping the login screen of a computer, and even encryption of the hard drive to access the data.

The attack requires using a screwdriver to access the inside of the computer to temporarily connect a device and modify the firmware, but it has the advantage that it leaves no trace and can be used for computers that are left unattended for a while (in a hotel, for example) or for stolen computers. It only takes an SPI programmer with a SOP8 chip, connect them to the controller, and rewrite all the memory. In this video, you can see the whole process.

(embed) https://www.youtube.com/watch?v=7uvSZA1F9os (/ embed)

And there is no easy way to fix it using software other than disabling the Thunderbolt port entirely. Intel’s Thunderbolt security has been in doubt for a while since to offer better speeds it also requires more direct access to computer memory than other ports. If that goes together with vulnerability, you have a perfect match.

Other attacks in the past, such as Thunderclap, allowed to skip all the security measures of the connector, which could be solved by configuring by deactivating the connection of unknown devices, or by deactivating the connector turning it into a simple USB or DisplayPort. The problem is that Thunderspy even allows you to bypass those protections by modifying the firmware in charge of managing the port, and forcing it to allow you to connect any device.

There is protection since 2019, but almost no one includes it

Since 2019, Intel created a protection mechanism called Kernel Direct Memory Access Protection, which prevents the attack. The problem is that, even after having launched it in 2019, it is not mandatory to include it and many manufacturers of computers and peripherals do not. For example, no Dell computer has it, not even those released in 2020. Only a few HP and Lenovo have the protection. Apple computers with macOS are not affected. To check if your computer is vulnerable, Björn has launched a tool on the web.

The equipment necessary to perform the hack costs about $ 600 between the SPI and the peripheral to connect to the Thunderbolt port. However, it states that agencies such as the NSA or the FBI At just $ 10,000, they’ll have no problem miniaturizing it and launching a portable device they can carry around without raising suspicion.

You can also take advantage of the attack without disassembling the computer

The investigator has also revealed another easier way to carry out the attack, but it requires having a Thunderbolt peripheral that has been connected to the victim’s computer. When connected, a 64-bit key is associated, which is then entered into the hacking device, and also allows you to skip the Windows login screen. This can be useful if you can connect a flash drive with Thunderbolt to a laptop momentarily, without even having to disassemble it.

Therefore, the only way to protect yourself against this attack is to disable Thunderbolt port from the BIOS of the computer if your computer is among those affected.

 

