[ad_1]
Thunderspy is the latest malware targeting computers with Thunderbolt ports. Vulnerabilities include attacks for all machines using Thunderbolt, regardless of operating system. The attack also affects all versions of Thunderbolt, meaning any device that has been shipped with it since 2011.
Investigator Bjὃrn Ruytenberg, from Eindhoven University of Technology, Thundersky discovered. Ruytenberg has published an article detailing Thunderspy that includes vulnerabilities, affected machines, partial mitigations, and exemplary exploits. It is an interesting read and shows just how dangerous and effective Thunderspy is.
According to Ruytenberg: “Thunderspy is stealth, which means you cannot find any trace of the attack. It does not require your participation, i.e. there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow security best practices by locking or suspending your computer by briefly quitting, and if your system administrator has configured the device with secure boot, strong BIOS and operating system passwords, and has enabled full disk encryption . All the attacker needs is 5 minutes with just the computer, a screwdriver and easily portable hardware. “
What do we know about Thunderspy?
Thunderspy is an evil maid attack. Leaving a device with a Thunderbolt port unattended and allowing an attacker to gain physical access to it means that it can access the data. It doesn’t matter if the device is locked or in sleep mode or if the data is encrypted. All the attacker needs is access to the computer.
Evil maid attacks are where people leave their computer on a desk in hotel rooms. They close or lock the screen and go to breakfast, dinner or a drink. Allow the evil maid to enter the room to launch the attack on the computer. It is an effective and direct attack.
Ruytenberg has identified seven vulnerabilities:
- Inadequate firmware verification schemes.
- Weak device authentication scheme.
- Use of metadata from unauthenticated devices.
- Downgrade attack with backward compatibility.
- Use of unauthenticated controller configurations.
- Shortcomings of the SPI flash interface.
- There is no Thunderbolt security at Boot Camp.
For each vulnerability, there are multiple exploits, and the document detailing Thunderspy Ruytenberg also provides some exploit scenarios.
Intel shuffled its feet and didn’t make a full disclosure
One of the troubling things here is Intel’s response. Ruytenberg has released the timeline for disclosure to Intel about the different vulnerabilities that were found. He affirms: “We disclosed vulnerabilities 1-5 to Intel on February 10. They wrote on March 10 that their engineering team confirmed the vulnerabilities, and that vulnerabilities 3-5 were new to them. After further investigation, we revealed vulnerability 6, which Intel confirmed on March 17. “
Hardware vendors generally alert all of their OEM / ODM partners once vulnerabilities are confirmed. This allows them to develop patches and submit them in a coordinated process. Unfortunately, it appears that Intel decided not to do that. It took several emails before Intel started transmitting the information. Even then, Ruytenberg identified the affected parties that Intel did not alert Thunderspy.
He says: “In our first email, we asked Intel to immediately notify affected parties, in coordination with us. However, Intel took no action, and finally, after several email exchanges, it listed only 5 parties to report to. We then sent them a list of other parties that we had identified as affected, including 11 OEM / ODM and the Linux kernel security team. Eventually, they notified us that they informed some parties on March 25 about the vulnerabilities and the upcoming disclosure, without giving us details of what this information consisted of and who exactly they contacted. We contacted several other parties after realizing that Intel had omitted them. “
Enterprise Times has asked Intel for more information. So far, beyond saying there is a document that addresses this, Intel has been unable to provide a copy.
How about Apple?
Ruytenberg says that all Apple Macs released from 2011 onwards except Retina MacBooks are vulnerable to Thunderspy. Ruytenberg says his team provided Apple with details of vulnerability seven on April 17. It is the only vulnerability that applies to Apple devices.
Importantly, it only affects apples when users run Boot Camp to run Windows or Linux. This is because doing so disables Thunderbolt security. Many security researchers and developers use Boot Camp to be able to develop and test multiple operating systems on a single device. Thunderspy may cause them to reconsider this approach.
Apple gave the following response on the disclosure. “Some of the hardware security features you described are only available when users are running macOS. If users are concerned about any of the problems in their document, we recommend using macOS. “
Protecting against Thunderspy
According to Joseph Carson, chief security scientist at cybersecurity company Thycotic, there are things users can do to protect themselves.
“The Thunderbolt flaw exposed on millions of computers is a serious problem, allowing the attacker in just a matter of minutes to bypass the security of the device that keeps unauthorized users away. Although fortunately for this attack, it requires physical access and requires visible manipulation, so it can only happen when an attacker is alone for several minutes with his computer.
“This means that leaving your computer for just a few minutes gives the attacker the ability to gain access to your data, activity, and accounts. It may be worth making it a little more difficult and putting tamper-resistant stickers on your device’s screws to at least make any tampering more visible, although this alone is not a complete test. Making sure to log out when you leave your device unattended makes it more difficult, though again, not impossible for the attacker to gain access. Anything you can do to force the attacker to take longer to succeed in such attacks increases the risk of exposure. At this time, I have not seen any evidence of this attack, although it raises questions about how long attackers may have known about this.
“Unfortunately for this attack, there is no easy fix, and any vendor hardware exposed by this attack will need creative ideas to make it more difficult and completely resolve the vulnerability.”
Enterprise Times: What does this mean?
Many users view vulnerabilities as a software problem and therefore refer to the operating system or application. What has become apparent in the past five years is that the firmware inside computers is as open to attack as the software on the device.
The Meltdown and Specter attacks on multi-vendor computer processors caused chip vendors to reconsider their design processes. Thunderspy is likely to have the same effect. The introduction of Kernel DMA Protection in 2019 mitigates some of Thunderspy’s impacts. However, it does not completely remove it.
Thunderspy is also likely to affect future technology standards, such as USB 4 and Thunderbolt 4. Ruytenberg says both standards will require a redesign of silicon. Both are expected to ship on computers this year, meaning OEM / ODMs will have to make some tough decisions. Are they delaying the release of new hardware or are they shipped with a known vulnerability?
Even if Thunderspy is repaired in silicon, the problem will be the millions of devices that are currently in use. This is not an attack that will go away soon.
[ad_2]
