[ad_1]
A researcher has developed a new attack that exploits some weaknesses in the Intel Thunderbolt specification security model to bypass Thunderbolt security settings and even gain access to any of the data on the machine. While the method is new, security issues with Thunderbolt are not, and for many people the attack does not significantly increase the risk that was already present.
The attack, known as Thunderspy, exploits the vulnerabilities present in Thunderbolt 1, 2, and 3 and works on any Windows or Linux computer with Thunderbolt ports sold before 2019. But there are some important caveats to the attack: it requires several minutes of physical activity . access to the destination computer, removing the back plate of the machine and some specialized hardware to run. If an attacker has that level of access to a computer, the machine is at their disposal, regardless of the details of the attack.
A typical attack scenario could involve a victim leaving their laptop unattended in a hotel or restaurant room long enough for an attacker to grab it, remove the backplate to access the correct port, plug in the malicious peripheral, and run its code. The attack can work even if the machine is locked and in sleep mode, but the threat to most people is not much greater than with other hardware attacks that require physical access.
The new method, developed by Björn Ruytenberg, a master’s student at Eindhoven University of Technology, is complex and based on custom tools that Ruytenberg developed to disable Thunderbolt security settings and rewrite the firmware of the target chip.
Thunderbolt is a hardware connection that Intel developed to connect peripheral devices to computers through a faster interface. Ruytenberg revealed Intel’s weaknesses several months ago, and while the vendor recognized the problems, there are no solutions available at this time, nor are there simple ways to address the core software problem.
“Despite our repeated efforts, the reason for Intel’s decision not to mitigate Thunderspy vulnerabilities in systems on the market remains unknown. However, given the nature of Thunderspy, we think it would be reasonable to assume that they cannot be fixed and require a redesign of silicon. In fact, for future systems that implement Thunderbolt technology, Intel has stated that they will incorporate additional hardware protections, “Ruytenberg said in his explanation of the attack.
One of the key fundamental problems fueling Ruytenberg’s attack is that once the computer relies on a device connected to Thunderbolt, it has deep access to the machine’s memory. There is a certain level of authentication between the devices and the computer, but if an attacker can make their own malicious device look like a trusted Thunderbolt device, as Ruytenberg has proven it can do, then it is in business.
“There is no real authentication. Intel went to the authentication layer, but the chip’s flash memory manages it. They’ve chosen a method that can be cloned. If I can get a device in my hands, I can mine anything I want to clone on any other device, “said Joe FitzPatrick, researcher and hardware security coach.
“That could be your laptop or your docking station or something else.”
In recent years, Intel has added a couple of security features that are designed to protect against some of the weaknesses that Thunderspy exploits. The main addition is a feature called Security Levels that allows people to explicitly trust only specific Thunderbolt devices, but Ruytenberg can modify Thunderbolt control chip firmware to bypass that feature and allow other devices. Thunderbolt devices by design have direct memory access (DMA), allowing them to read and write system memory out of the control of the operating system. This is a powerful feature, and attackers have been able to exploit it in the past to steal data through Thunderbolt peripherals, so to defend against those attacks, Intel last year introduced a feature called Kernel DMA Protection that restricts Thunderbolt devices to specific memory ranges.
“They need to change silicon to run only signed code, and that’s not a simple thing.”
That feature mitigates some, but not all, vulnerabilities exploited by the Ruytenberg attack, and is only available on a small number of computers from 2019 onwards. Other researchers have discovered similar issues with Thunderbolt in the past, including Thunderclap bugs revealed in 2019.
“In an evil maid threat model and varying levels of security, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone Thunderbolt devices authorized by the user, and ultimately gain PCIe connectivity to perform DMA attacks. Additionally, we show unauthenticated override of security level settings, including the ability to disable Thunderbolt security entirely, and restore Thunderbolt connectivity if the system is restricted from passing exclusively through USB and / or DisplayPort. We concluded by demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates, “says the description of the attack.
To fully address core issues with the Thunderbolt security model, Intel would need to make changes to the chips, an expensive and time-consuming process.
“They need to change silicon to run only signed code and that’s not a simple thing. They would have to develop it, make new chips, test them, and then ship them. That could be years,” said FitzPatrick.
For owners of computers running affected chips, the most effective solutions are to enable Kernel DMA protection if available and only connect reliable Thunderbolt peripherals.
