[ad_1]
A security researcher at Eindhoven University of Technology, Bjorn Ruytenberg, discovered that computers equipped with Thunderbolt contain vulnerabilities that could leave millions of computers exposed to “Thunderspy” attacks. Ruytenberg revealed that it found seven vulnerabilities in Intel’s Thunderbolt port design and created nine attack vectors.
In a blog post, Ruytenberg stated that Thunderspy flaws affect Windows and Linux devices that are manufactured before 2019. Attackers, who have the proper hardware tools and a few minutes with the machine can bypass defenses, access and copy the data on the selected computers. “All the attacker needs is five minutes with just the computer, a screwdriver and easily portable hardware,” Ruytenberg said.
Vulnerabilities found:
- Improper firmware verification schemes
- Weekly device authentication scheme
- Use of metadata from unauthenticated devices
- Downgrade attack using backward compatibility
- Use of unauthenticated controller configurations
- SPI Flash interface deficiency
- No Thunderbolt Security at Boot Camp
How is the attack carried out?
To carry out a Thunderspy attack on a vulnerable computer, an attacker is only required to unscrew the backplane, momentarily plug in a device, reprogram the firmware (to control the Thunderbolt port), and replace the backplane. Now the reprogrammed firmware allows the hacker to change the Thunderbolt port settings and open the way for any malicious device to access it. Ruytenberg claimed that this method works even when the device is locked with a password, the data on its hard drive is encrypted and access to the Thunderbolt port is disabled.
In a proof-of-concept video, Ruytenberg demonstrated that he could unscrew the bottom panel of a Thunderbolt-equipped ThinkPad to access its Thunderbolt controller.
“Thunderspy is stealth, which means you cannot find any trace of the attack. It does not require your participation, i.e. there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow security best practices by locking or suspending your computer by briefly quitting, and if your system administrator has configured the device with secure boot, strong BIOS and operating system passwords, and enabled full disk encryption. ” Ruytenberg said.
The researcher reported the problem to Intel authorities with a report on Thunderbolt, discussing the issues related to invasive physical attacks on Thunderbolt hosts and devices. Intel clarified that it has created a Thunderbolt security system known as Kernel Direct Memory Access Protection to prevent Thunderspy attacks. “While the underlying vulnerability is not new and was addressed in versions of the operating system last year, researchers demonstrated potential new vectors of physical attack using a custom peripheral device on systems that did not have these mitigations enabled,” Intel said in a publication.
[ad_2]
