TU/e security researchers find fatal vulnerabilities in Thunderbolt
A TU/e master student has found fatal flaws in the security of Thunderbolt, a popular technology developed by Intel (in collaboration with Apple) to quickly transfer data to and from a computer. The research shows that a hacker can easily get around the protections put in place by Intel to prevent malicious attacks. The vulnerabilities affect millions of computers and laptops.
Thunderbolt is a computer port that allows for high-speed data transmission between a PC or laptop and other devices, such as hard drives. The technology is found in tens or hundreds of millions of devices worldwide. Almost every new laptop and desktop computer since 2011 is shipping with Thunderbolt. The port can be recognized by the small flash symbol.
Intel claims that access through Thunderbolt is protected by cryptography, which should prevent all but the best-funded adversaries from getting unauthorized access. “However”, says master student Björn Ruytenberg (department of Mathematics and Computer Science), "to my surprise there was essentially nothing resembling modern cryptography. The little I found I could easily break or bypass."
Thunderspy
Ruytenberg found seven vulnerabilities in Intel’s design and developed nine realistic scenarios (collectively known as Thunderspy) for how these could be exploited by a malicious party. Thunderspy does not require any action by the victim, such as inadvertently connecting malicious devices or installing untrusted software.
All the attacker needs is five minutes alone with the computer, a screwdriver, and some easily portable hardware. Once they are in, they can read and copy all data, even if the drive is encrypted and the computer is locked or set to sleep. Thunderspy is also stealthy: it leaves no traces of the attack.
Gaps
Professor Tanja Lange, who together with PhD student Jacob Appelbaum supervised the master thesis, says the research fills important gaps of existing knowledge about the Thunderbolt protocol. “Björn has researched how the security mechanisms of Thunderbolt work and how Intel tries to stop unauthorized access to data on the computer. His findings have exposed vulnerabilities that threaten virtually every computer that has a Thunderbolt port and runs Windows or Linux."
Appelbaum says Ruytenberg is an extremely driven and talented student. “It is always gratifying when master students reach research level, and Björn's Thunderbolt research will be presented at BlackHat USA2020, a major information security conference held in August.”
Response Intel
The TU/e research team contacted Intel about the findings in February. The company has since confirmed the vulnerabilities. Unfortunately, the only solution offered by Intel so far has been Kernel DMA Protection. This feature protects against some of the vulnerabilties in Thunderbolt, but it has as only been available since 2019 and only on a limited number of PCs and laptops. And, because Kernel DMA Protection requires hardware support, it cannot be retrofitted to older systems. Every Thunderbolt-enabled system produced before 2019 and the majority of systems since - almost a full decade of deployed devices - will receive no patch or update.
Check your computer
So what does this mean for your device? Ruytenberg recommends that all users of PCs and laptops download Spycheck, a special tool he developed that can check whether they are affected. Spycheck will guide users to recommendations on how to help protect their system. One of the solutions is disabling Thunderbolt completely in their BIOS. It is also wise not to leave any Thunderbolt-enabled system unattended even just for five minutes.
The responsible service Information Management & Services (IMS) at TU/e says it welcomes Ruytenberg’s tool, and that it will contact the researchers to inform whether it can support them in the further development of Spycheck. IMS estimates that TU/e students and staff members are at limited risk as long as they work from home, but advices people not to leave their notebooks outside unattended and to switch them off instead of into sleep mode. Those who don’t expect to need Thunderbolt are advised to deactivate the port, and may contact the servicedesk if they need help. As yet, IMS sees no reason for banning unattended vulnerable workstations from the network.
Discussion