Sunday, May 19, 2024

Thunderspy Attack – Critical Intel Thunderbolt Bug Let Attackers Hack Millions of PCs Within 5 Minutes

Recently, a security expert at the Eindhoven University of Technology has exhibited that how a new attack method on Windows or Linux computers with support for the Thunderbolt port could allow anyone to hack devices in less than five minutes. Yes, just five minutes only!!!

With the help of a new technique called Thunderspy, it is possible to circumvent the authorization or lock screen and even hard disk encryption as well on computers that are locked or in sleep mode, change security settings, and then access data on the device. 

The author of this method, Björn Ruytenberg, has explained, “Although in most cases it will be necessary to open the PC case to exploit the vulnerability, and the attack leaves no traces and takes only a few minutes only.”

The new method leads to the type of attacks known as “evil maid,” in which an attacker who has physical access to a PC can easily circumvent local authentication.

According to the author of this method, Björn Ruytenberg, “The only way to defend against a ‘Thunderspy attack‘ is to disable the Thunderbolt port.”

Thunderspy PoCs in Action

Following the release of a report on a Thunderclap attack that steals information directly from OS memory using peripherals, the giant chip maker, Intel introduced the Kernel DMA Protection security mechanism, which blocks connected Thunderbolt 3 devices and prevents them from accessing the Direct Memory Access (DMA) until they complete a specific set of procedures.

Apart from all these things, here’s the short and clear summary published by the author of this method, Björn Ruytenberg, “Thunderspy is very complicated, and you cannot find any traces of this attack.

As it does not even require your involvement like other cyber threats like phishing link or malware attacks.

Even if you follow the best security practices by locking your computer when leaving temporarily, or if your system administrator has set up the device with Secure Boot, strong BIOS, and operating system account passwords, and enabled full disk encryption, Thunderspy will don’t have any impact of those security mechanisms.

All the attacker needs is only 5 minutes alone with the computer or laptop, a screwdriver, and some portable hardware tools.”

At the moment security experts have found the following vulnerabilities that we have mentioned below:-

  • Inadequate firmware verification schemes.
  • The weak device authentication scheme.
  • Use of unauthenticated device metadata.
  • Downgrade attack using backward compatibility.
  • Use of unauthenticated controller configurations.
  • SPI flash interface deficiencies.
  • No Thunderbolt security on Boot Camp.

The Thunderbolt controllers could be operated in two modes, either in ‘Host Mode’ or ‘Endpoint Mode.’

The Thunderbolt controllers connect to the system by using a bare-metal PCIe interface in ‘Host Mode,’ through which the PCH opens a PCIe x4 link to a Thunderbolt 3 controller, in the below picture you will get a clear example.

Generally, the Thunderbolt 3 represents the silicon that can dynamically switch between the PHY modes that we have mentioned below:-

  • USB passthrough mode.
  • Mixed USB/DisplayPort mode.
  • Native Thunderbolt mode.

Protection is available since 2019, but practically no one covers it

But, hold on, here the key problem is something else, here’s what the researcher explained, “This feature definitely prevents a Thunderspy attack, but the problem is that this mechanism is not available on the PCs that were released before 2019. And not only that, even there are many Thunderbolt peripherals that were manufactured before 2019, and they do not support this technology.”

The security experts have already examined several models of Dell, HP, and Lenovo PCs and found that the Dell PC does not have the Kernel Direct Memory Access (DMA) Protection feature, including the devices released after 2019.

In the case of HP and Lenovo, only a few models use this technology, while on the other hand, this vulnerability does not affect Apple computers.

According to HP, “Most HP commercial PC mobile workstations that support “Sure Start Gen5″ and higher have the protection against the Thunderspy bug.” 

Apart from this, Lenovo said, “We are currently studying the situation, as Thunderbolt is a peripheral connectivity technology which is developed by Intel in association with Apple that allows transferring data, video, audio, and charge through a single port.”

Moreover, if you don’t know about the ‘HP Sure Start,’ then let me clarify that it is a security mechanism developed by HP, and protects the computer’s BIOS from several cyberattacks or corruption.

It is responsible for BIOS security and includes the Dynamic Protection function, which simply checks the BIOS not only when the device status changes but also during the day at regular intervals.

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles