ESET has published a comprehensive overview of risks stemming from Thunderspy, a series of vulnerabilities in Thunderbolt technology, and possible protections. Via Thunderspy, an attacker can change, possibly can even remove the security measures of the Thunderbolt interface on a computer.
As a result, an attacker with physical access to the target computer can steal data from it, even if full disk encryption is used and the machine is locked with a password or sleeping in low-power mode.
Thunderspy was discovered by Björn Ruytenberg, a computer security researcher, in May 2020.
“While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim,” points out Aryeh Goretsky, ESET Distinguished Researcher.
In his article “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe,” Goretsky briefly explains the technical background for Thunderspy but focuses primarily on practical methods to defend against it.
Thunderbolt-based attacks are very rare because they are, by their nature, highly targeted. There are two types of attacks against the security that Thunderbolt relies on to maintain the integrity of a computer. The first is cloning the identities of Thunderbolt devices that are already trusted and allowed by the computer. The second is to permanently disable Thunderbolt security so that it cannot be re-enabled.
“The cloning attack is like thieves who steal a key and copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of bricking a chip. In this case, permanently disabling Thunderbolt’s security levels and write-protecting the changes so they cannot be undone,” explains Goretsky.
Neither type of attack is done simply, since actual in-person access to the target computer is required, along with the tools to disassemble the computer, attach a logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. Such attacks are a type of “evil maid attack,” implying the scenario of the attacker entering a hotel room while the victim is not present to conduct the attack.
To defend against Thunderspy, just like any other hardware attacks requiring physical access to the system, it’s important to decide whether the goal of the defense is to make it evident that a physical attack occurred, or to protect against it.
Protection methods against Thunderspy attacks may be divided into separate categories. “First, prevent any unauthorized access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure,” summarizes Goretsky.
“Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy,” suggests Goretsky.
Aside from all other security measures, users employ security software from a reputable provider that can scan the computer’s UEFI firmware, one of the locations where Thunderbolt security information is stored.