Most personal computers with a Thunderbolt port are vulnerable to a new exploit that allows hackers with physical access to a machine to compromise it even if the screen is locked and the hard drive is encrypted.

The exploit, dubbed Thunderspy, was publicly detailed on Sunday. It affects all Windows and Linux computers with Thunderbolt ports that were made before 2019 and also poses a risk, albeit a more limited one, to Apple Inc.’s Macs.

Thunderspy relies on no fewer than seven different vulnerabilities found in the Thunderbolt standard by Bjorn Ruytenberg, the researcher who discovered the issue. A hacker could compromise them using a few hundred dollars’ worth of electronic components. The attack involves using a SPI programmer, a small device for configuring chips such as flash drives, to manipulate a Thunderbolt connector’s controller chip and disable its security features.

“Thunderbolt host and device controllers operate using updatable firmware stored in its SPI flash,” Ruytenberg wrote in the academic paper detailing the exploit. Thunderbolt ports’ controller chips check the authenticity of this firmware to prevent tampering, but the mechanism is not perfect, which makes it possible to corrupt the code. “During our experiments, using a SPI programmer, we have written arbitrary, unsigned firmware directly onto the SPI flash,” the researcher added.

The experiments showed that a hacker could sneak the malicious firmware into a PC in about five minutes by removing the machine’s case with a screwdriver and connecting the SPI programmer to the Thunderbolt port’s controller chip. The exploit bypasses a user’s security settings. A PC left unattended can be compromised even if the screen is locked, the hard drive is encrypted and Thunderbolt is disabled at the operating system level.

Intel, the developer of the Thunderbolt standard, released a technology called Kernel DMA Protection in 2019 that disables Thunderspy. “The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled,” Intel noted in a statement on Sunday. 

But Windows and Linux computers that were made before Kernel DMA Protection became available in 2019, or are newer but don’t come equipped with technology, are vulnerable. Macs can be compromised too. However, the risk to Apple Inc. users is smaller because macOS applies certain security settings to Thunderbolt that makes the vulnerability harder to exploit. 

The low-level nature of the Thunderbolt flaws that Thunderspy relies on means PC makers can’t issue an over-the-air security update. In other words, there’s no way to patch a vulnerable machine. Fortunately, the fact that Thunderspy requires physical access to a machine and a considerable amount of technical know-how to exploit means that it won’t pose a serious risk to the vast majority of users. 

Photo: Unsplash