[ad_1]
A new attack method allows bad actors to access data on a locked computer through an evil maid attack in 5 minutes
Millions of computers with Intel Thunderbolt ports are open to practical hacking attempts due to vulnerabilities in the hardware interface, according to research published by security researcher at Eindhoven University of Technology in the Netherlands, Björn Ruytenberg. Dubbed Thunderspy, the attack method affects Thunderbolt-equipped machines manufactured between 2011 and 2020 and is a concern with machines running any of the three major operating systems: Windows, Linux, and, to a lesser extent, macOS.
To snatch data from a PC through a so-called evil maid attack, all a bad actor would need is a few minutes, physical access to the device. and some ready-to-use equipment. “All the evil maid has to do is unscrew the back plate, momentarily plug in a device, reprogram the firmware, replace the back plate, and the evil maid has full access to the laptop,” Ruytenberg told Wired, and He added that the entire process could be managed within five minutes. A total of 7 vulnerabilities were found to affect Thunderbolt versions 1-3, all of which are detailed in the research paper.
The attack method works even if you follow cybersecurity best practices, such as locking your computer when leaving for a moment and using strong passwords and security measures like full disk encryption. Above all, the attack leaves no traces.
As a proof of concept, Ruytenberg developed a firmware patching toolkit called Thunderbolt Controller Firmware Patcher (tcfp), which allows you to disable Thunderbolt security without accessing the BIOS or the machine’s operating system. Since all of this takes place covertly and the changes are not reflected in the BIOS, the victim remains the smartest.
Ruytenberg also developed another tool, called SPIblock. Using it in conjunction with tfcp, it managed to disable Thunderbolt security forever and block all future firmware updates, while remaining undetected.
Thunderbolt security was also in the spotlight last year, when a team of researchers was able to discover a collection of vulnerabilities they called Thunderclap. Fortunately, those could be mitigated by the security options, called “Security Levels,” that were already available at the time.
Not so much with Thunderspy, since this attack method avoids these security settings. On the other hand, what protects it is the Kernel Direct Memory Access (DMA) protection that was introduced in 2019, as Intel states in its response to the published report.
Ruytenberg concludes that an update will not suffice to fix the problem: “Thunderspy vulnerabilities cannot be repaired in software, they affect future standards like USB 4 and Thunderbolt 4, and will require a silicon redesign.”
If you are concerned that your computer is susceptible to an attack, you can use Spycheck, a tool specifically developed by the researcher to search for Thunderspy vulnerabilities. To protect yourself, you shouldn’t leave your computer unattended while it’s on, even if you locked the screen; The same applies to your Thunderbolt peripherals. Ruytenberg also recommends disabling your Thunderbolt ports entirely in BIOS, which would render them inoperative but should keep it safe.
Amer Owaida
[ad_2]
