There has been a recent pitch from a Dutch security researcher who found a security flaw in the thunderbolt port or USB type-C port on Thunderbolt-enabled Windows, Apple, or Linux computers before 2020, while some systems shipped since 2019 that provide Kernel Direct Memory Access protection are partially vulnerable.
This Evil Maid attack (i.e., attacker of an unattended device) can bypass the system login screen regardless if it’s asleep or locked. This can be pulled off in a matter of minutes – 5 to be exact; this type of attack is stealthy as it does not leave any traces of the intrusion. A malicious attacker can gain physical access to a victim’s system by unscrewing the backplate and flashing the SPI chip, then attaching a BUS pirate (spy programmer) and extracting data using PCILeech to utilize a kernel module that stealthily skips the Windows sign-in screen. Before this attack, there’s this type of attack called ThunderClap that handles the same way as Thunderbolt.
Thunderbolt port is intended for direct hardware access to read and write directly to the main memory without Operating System interaction; it also allows low-level or less admin access to the computer, thus making it susceptible to exploitation.
The impact is known to affect Thunderbolt protocols 1,2, and 3. We also confirmed that the flaw had presented the following vulnerabilities in Thunderbolt:
- inadequate firmware verification schemes;
- weak device authentication schemes;
- use of unauthenticated device metadata;
- downgrade attack using backward compatibility;
- use of unauthenticated controller configurations;
- SPI flash interface deficiencies;
- and a lack of Thunderbolt security on Boot Camp.
How do we prevent a Thunderbolt Port exploit
- Physically checking for the tampered backplate of physical devices.
- Physically checking for the tampered backplate of the physical device.
- Hardening the protection with Hypervisor-protected code integrity (HVCI) – It isolates the code integrity subsystem. It verifies that the Kernel code is not authenticated and signed by Microsoft. It also ensures that kernel code cannot be both writable and executable to make sure unverified code does not execute.
- Secure-core PC protections – It uses rooted hardware security in the modern CPU to launch the system into a trusted state. It helps mitigate attempts made by malware at the firmware level.
- Kernel DMA protection – block external peripherals from Direct Memory Access (DMA) attacks using PCI hotplug devices such as Thunderbolt.
- Preventive measures include disabling the BIOS connection to Thunderbolt ports.
- Another point to consider would be the use of unified endpoint management (UEM) solution to ensure you’re covered for all potential security threats and not merely traditional malware.
- Use the Spycheck tool to verify whether systems are vulnerable to Thunderspy. Once found as vulnerable, Spycheck will guide users to the best practices on how to help protect the system.
Intel responded to this flaw
Intel said that the underlying vulnerability is not anything new and was addressed in OS releases in 2019 called the Kernel Direct Memory Access (DMA) protection. Still, if that mitigation is not enabled or a device is not newer than the computer made in 2019, then the new Thunderspy physical attack vector works.
Then again, Intel has acknowledged these vulnerabilities quickly and has instructed developers to implement Kernel Direct Memory Access (DMA) protection to prevent these attacks. The protections will be available from Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and macOS (macOS 10.12.4 and later).
Intel also noted that this attack was not demonstrated on systems with the Kernel Direct Memory Access (DMA) protection enabled, which would be machines made with the last year or so. Unfortunately, not all devices have Kernel Direct Memory Access (DMA) protection even if they are new, so the security researcher released a tool called Spycheck to verify if your machine is vulnerable and whether or not you can enable Kernel Direct Memory Access (DMA) protection.
Unlike Windows and Linux-based computers, experts claim that the recent security updates from Apple should mitigate Thunderspy attacks on devices with macOS. While the exploit will technically work, access will be limited with certain safeguards in place. It is unknown hardware manufacturers, and developers will come up with a fix later on.
