A dangerous Thunderbolt bug has been discovered by a criminal collective and exploited in the recent Thunderspy attack. It is reported to affect both Windows and Linux computers manufactured before 2019. The results of a successful Thunderbolt hack can result in the bypassing of a login of a sleeping or locked device resulting in unauthorized access.
The Thunderspy Attacks: How Thunderbolt is Exploited To Hack Your Computers?
This Sunday a security researcher from the Dutch University of Technology of Eindhoven revealed information on a new hacking method that can be used to gain access to Thunderbolt-equipped computers calling it the Thunderspy attack. According to the published report this allows for malicious users to gain unauthorized access to such devices. The security bypass is compatible with devices that have been manufactured before 2019.
The exploit can allow for the criminals to break through secured devices: the Thunderbspy flaw can bypass the login screens of sleeping and locked computers, even when hard disk encryption is enabled! At the core of the Thunderspy attack is the requirement of the hackers to have physical access to the target computers. However upon the successful execution of the intrusion the criminals will practically leave no trace of the exploit.
All that is required of the hackers to do is to follow these steps:
- Physical Manipulation — The hackers will need to gain access to the target devices in order to access the Thunderbolt controller. To it they will need to attach a specially configured SPI programmer.
- Reconfiguration — Using a SOP8 clip and the SPI programmer device a reconfiguration operation will be executed.
- Thunderbolt Exploit — The actual Thunderspy attack is commenced by reprogramming the controller which will disable the computer’s security settings.
The flaw found with the Thunderbolt ports and controller is in the firmware where the security state is controlled. This allows hackers with access to the machines to edit these values and to disable all security precautions. In order to leverage the Thunderspy infiltration the criminals require not only access to the machines, but also equipment — the overall cost totals to about $400. The researcher also suggests that a better funded criminal collective may also lead to the creation of a single device. The total time it takes to leverage the Thunderbolt hack takes about 5 minutes, with a dedicated appliance this can be even faster.
Consequences of a Thunderspy Exploit: How Much Dangerous Is It?
The strategy used by the researcher revolves around the fact that the controller contains code containing security levels and related configuration values. A variant of Thunderspy is when the hackers have access to Thunderbolt device from which the can copy a “trusted identifier” — when plugged in to the target computer the gadget will automatically start its firmware and pass it into the operating system. The criminals can use their tools in order to fabricate this content to a device they own thereby tricking the computers.
Hacking into Thunderbolt devices like this can effectively be used in two malware scenarios:
- strong>Computers Infiltration — The Thunderspy attack is compatible with both Microsoft Windows and Linux systems that have been manufactured before 2019. The reason for this is that in their firmware controllers that the security controllers store the values in this way. This exploit can break through login prompts even on computers that are placed in “sleep”. The research shows that this is possible even when encryption is enabled.
- Sabotage — Another dangerous scenario that may be exploited in a real-world situation is when intentional sabotage is performed. A criminal gang can use a specially constructed device that can take the form of a USB flash drive and plug them in target devices. Using preprogrammed malware code they can not only break into the computers, but also to execute arbitrary code.
Last year Intel released a security mechanism that can protect against Thunderspy called Kernel Direct Memory Access Protection which is not implemented in older configurations. This is the reason why computers manufactured before that year are affected.
How To Protect From The Thunderspy Attack?
A security proposition in order to safeguard against such attacks by disallowing access to untrusted devices, an alternative measure is to altogether turn off the Thunderbolt capabilities. If the extended functionality are disabled then the Thunderbolt will function only as a file transfer and display port. The Intel patch which relies on the introduction of the Kernel Direct Memory Access Protection can effectively block the Thunderspy exploit mechanism.
A related intrusion was discovered back in February 2019 called Thunderclap. It was discovered by a team of researchers that is similar to Thunderspy. A proof-of-concept model demonstrates that a malware device can access system settings and manipulate the target devices. This also affects allows major operating systems to be affected: Microsoft Windows, Linux MacOS. Once again the security researchers advised for Thunderbolt functionality to be limited until the Kernel Direct Memory Access Protection is implemented.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: