Saturday, October 12, 2024
HomeComputer SecurityThunderspy Attack - Critical Intel Thunderbolt Bug Let Attackers Hack Millions of...

Thunderspy Attack – Critical Intel Thunderbolt Bug Let Attackers Hack Millions of PCs Within 5 Minutes

Published on

Malware protection

Recently, a security expert at the Eindhoven University of Technology has exhibited that how a new attack method on Windows or Linux computers with support for the Thunderbolt port could allow anyone to hack devices in less than five minutes. Yes, just five minutes only!!!

With the help of a new technique called Thunderspy, it is possible to circumvent the authorization or lock screen and even hard disk encryption as well on computers that are locked or in sleep mode, change security settings, and then access data on the device. 

The author of this method, Björn Ruytenberg, has explained, “Although in most cases it will be necessary to open the PC case to exploit the vulnerability, and the attack leaves no traces and takes only a few minutes only.”

- Advertisement - SIEM as a Service

The new method leads to the type of attacks known as “evil maid,” in which an attacker who has physical access to a PC can easily circumvent local authentication.

According to the author of this method, Björn Ruytenberg, “The only way to defend against a ‘Thunderspy attack‘ is to disable the Thunderbolt port.”

Thunderspy PoCs in Action

Following the release of a report on a Thunderclap attack that steals information directly from OS memory using peripherals, the giant chip maker, Intel introduced the Kernel DMA Protection security mechanism, which blocks connected Thunderbolt 3 devices and prevents them from accessing the Direct Memory Access (DMA) until they complete a specific set of procedures.

Apart from all these things, here’s the short and clear summary published by the author of this method, Björn Ruytenberg, “Thunderspy is very complicated, and you cannot find any traces of this attack.

As it does not even require your involvement like other cyber threats like phishing link or malware attacks.

Even if you follow the best security practices by locking your computer when leaving temporarily, or if your system administrator has set up the device with Secure Boot, strong BIOS, and operating system account passwords, and enabled full disk encryption, Thunderspy will don’t have any impact of those security mechanisms.

All the attacker needs is only 5 minutes alone with the computer or laptop, a screwdriver, and some portable hardware tools.”

At the moment security experts have found the following vulnerabilities that we have mentioned below:-

  • Inadequate firmware verification schemes.
  • The weak device authentication scheme.
  • Use of unauthenticated device metadata.
  • Downgrade attack using backward compatibility.
  • Use of unauthenticated controller configurations.
  • SPI flash interface deficiencies.
  • No Thunderbolt security on Boot Camp.

The Thunderbolt controllers could be operated in two modes, either in ‘Host Mode’ or ‘Endpoint Mode.’

The Thunderbolt controllers connect to the system by using a bare-metal PCIe interface in ‘Host Mode,’ through which the PCH opens a PCIe x4 link to a Thunderbolt 3 controller, in the below picture you will get a clear example.

Generally, the Thunderbolt 3 represents the silicon that can dynamically switch between the PHY modes that we have mentioned below:-

  • USB passthrough mode.
  • Mixed USB/DisplayPort mode.
  • Native Thunderbolt mode.

Protection is available since 2019, but practically no one covers it

But, hold on, here the key problem is something else, here’s what the researcher explained, “This feature definitely prevents a Thunderspy attack, but the problem is that this mechanism is not available on the PCs that were released before 2019. And not only that, even there are many Thunderbolt peripherals that were manufactured before 2019, and they do not support this technology.”

The security experts have already examined several models of Dell, HP, and Lenovo PCs and found that the Dell PC does not have the Kernel Direct Memory Access (DMA) Protection feature, including the devices released after 2019.

In the case of HP and Lenovo, only a few models use this technology, while on the other hand, this vulnerability does not affect Apple computers.

According to HP, “Most HP commercial PC mobile workstations that support “Sure Start Gen5″ and higher have the protection against the Thunderspy bug.” 

Apart from this, Lenovo said, “We are currently studying the situation, as Thunderbolt is a peripheral connectivity technology which is developed by Intel in association with Apple that allows transferring data, video, audio, and charge through a single port.”

Moreover, if you don’t know about the ‘HP Sure Start,’ then let me clarify that it is a security mechanism developed by HP, and protects the computer’s BIOS from several cyberattacks or corruption.

It is responsible for BIOS security and includes the Dynamic Protection function, which simply checks the BIOS not only when the device status changes but also during the day at regular intervals.

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...