UPDATED 13:23 EDT / MAY 11 2020

SECURITY

Unpatchable exploit in Thunderbolt allows hackers to break into locked PCs

Most personal computers with a Thunderbolt port are vulnerable to a new exploit that allows hackers with physical access to a machine to compromise it even if the screen is locked and the hard drive is encrypted.

The exploit, dubbed Thunderspy, was publicly detailed on Sunday. It affects all Windows and Linux computers with Thunderbolt ports that were made before 2019 and also poses a risk, albeit a more limited one, to Apple Inc.’s Macs.

Thunderspy relies on no fewer than seven different vulnerabilities found in the Thunderbolt standard by Bjorn Ruytenberg, the researcher who discovered the issue. A hacker could compromise them using a few hundred dollars’ worth of electronic components. The attack involves using a SPI programmer, a small device for configuring chips such as flash drives, to manipulate a Thunderbolt connector’s controller chip and disable its security features.

“Thunderbolt host and device controllers operate using updatable firmware stored in its SPI flash,” Ruytenberg wrote in the academic paper detailing the exploit. Thunderbolt ports’ controller chips check the authenticity of this firmware to prevent tampering, but the mechanism is not perfect, which makes it possible to corrupt the code. “During our experiments, using a SPI programmer, we have written arbitrary, unsigned firmware directly onto the SPI flash,” the researcher added.

The experiments showed that a hacker could sneak the malicious firmware into a PC in about five minutes by removing the machine’s case with a screwdriver and connecting the SPI programmer to the Thunderbolt port’s controller chip. The exploit bypasses a user’s security settings. A PC left unattended can be compromised even if the screen is locked, the hard drive is encrypted and Thunderbolt is disabled at the operating system level.

Intel, the developer of the Thunderbolt standard, released a technology called Kernel DMA Protection in 2019 that disables Thunderspy. “The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled,” Intel noted in a statement on Sunday. 

But Windows and Linux computers that were made before Kernel DMA Protection became available in 2019, or are newer but don’t come equipped with technology, are vulnerable. Macs can be compromised too. However, the risk to Apple Inc. users is smaller because macOS applies certain security settings to Thunderbolt that makes the vulnerability harder to exploit. 

The low-level nature of the Thunderbolt flaws that Thunderspy relies on means PC makers can’t issue an over-the-air security update. In other words, there’s no way to patch a vulnerable machine. Fortunately, the fact that Thunderspy requires physical access to a machine and a considerable amount of technical know-how to exploit means that it won’t pose a serious risk to the vast majority of users. 

Photo: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.