Thunderspy Attack – Critical Intel Thunderbolt Bug Let Attackers Hack Millions of PCs Within 5 Minutes

Recently, a security expert at the Eindhoven University of Technology has exhibited that how a new attack method on Windows or Linux computers with support for the Thunderbolt port could allow anyone to hack devices in less than five minutes. Yes, just five minutes only!!!

With the help of a new technique called Thunderspy, it is possible to circumvent the authorization or lock screen and even hard disk encryption as well on computers that are locked or in sleep mode, change security settings, and then access data on the device. 

The author of this method, Björn Ruytenberg, has explained, “Although in most cases it will be necessary to open the PC case to exploit the vulnerability, and the attack leaves no traces and takes only a few minutes only.”

The new method leads to the type of attacks known as “evil maid,” in which an attacker who has physical access to a PC can easily circumvent local authentication.

According to the author of this method, Björn Ruytenberg, “The only way to defend against a ‘Thunderspy attack‘ is to disable the Thunderbolt port.”

Thunderspy PoCs in Action

Following the release of a report on a Thunderclap attack that steals information directly from OS memory using peripherals, the giant chip maker, Intel introduced the Kernel DMA Protection security mechanism, which blocks connected Thunderbolt 3 devices and prevents them from accessing the Direct Memory Access (DMA) until they complete a specific set of procedures.

Apart from all these things, here’s the short and clear summary published by the author of this method, Björn Ruytenberg, “Thunderspy is very complicated, and you cannot find any traces of this attack.

As it does not even require your involvement like other cyber threats like phishing link or malware attacks.

Even if you follow the best security practices by locking your computer when leaving temporarily, or if your system administrator has set up the device with Secure Boot, strong BIOS, and operating system account passwords, and enabled full disk encryption, Thunderspy will don’t have any impact of those security mechanisms.

All the attacker needs is only 5 minutes alone with the computer or laptop, a screwdriver, and some portable hardware tools.”

At the moment security experts have found the following vulnerabilities that we have mentioned below:-

  • Inadequate firmware verification schemes.
  • The weak device authentication scheme.
  • Use of unauthenticated device metadata.
  • Downgrade attack using backward compatibility.
  • Use of unauthenticated controller configurations.
  • SPI flash interface deficiencies.
  • No Thunderbolt security on Boot Camp.

The Thunderbolt controllers could be operated in two modes, either in ‘Host Mode’ or ‘Endpoint Mode.’

The Thunderbolt controllers connect to the system by using a bare-metal PCIe interface in ‘Host Mode,’ through which the PCH opens a PCIe x4 link to a Thunderbolt 3 controller, in the below picture you will get a clear example.

Generally, the Thunderbolt 3 represents the silicon that can dynamically switch between the PHY modes that we have mentioned below:-

  • USB passthrough mode.
  • Mixed USB/DisplayPort mode.
  • Native Thunderbolt mode.

Protection is available since 2019, but practically no one covers it

But, hold on, here the key problem is something else, here’s what the researcher explained, “This feature definitely prevents a Thunderspy attack, but the problem is that this mechanism is not available on the PCs that were released before 2019. And not only that, even there are many Thunderbolt peripherals that were manufactured before 2019, and they do not support this technology.”

The security experts have already examined several models of Dell, HP, and Lenovo PCs and found that the Dell PC does not have the Kernel Direct Memory Access (DMA) Protection feature, including the devices released after 2019.

In the case of HP and Lenovo, only a few models use this technology, while on the other hand, this vulnerability does not affect Apple computers.

According to HP, “Most HP commercial PC mobile workstations that support “Sure Start Gen5″ and higher have the protection against the Thunderspy bug.” 

Apart from this, Lenovo said, “We are currently studying the situation, as Thunderbolt is a peripheral connectivity technology which is developed by Intel in association with Apple that allows transferring data, video, audio, and charge through a single port.”

Moreover, if you don’t know about the ‘HP Sure Start,’ then let me clarify that it is a security mechanism developed by HP, and protects the computer’s BIOS from several cyberattacks or corruption.

It is responsible for BIOS security and includes the Dynamic Protection function, which simply checks the BIOS not only when the device status changes but also during the day at regular intervals.

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

16 hours ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

16 hours ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

16 hours ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

16 hours ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

2 days ago