Thunderbolt offers breakneck transfer speeds by giving devices direct access to your PC’s memory, which also creates several vulnerabilities. Researchers previously thought those weaknesses (dubbed Thunderclap), could be mitigated by disallowing access to untrusted devices or disabling Thunderbolt altogether but allowing DisplayPort and USB-C access.
However, Ruytenberg’s attack method could get around even those settings by changing the firmware that controls the Thunderbolt port, allowing any device to access it. What’s more, the hack leaves no trace, so the user would never know their PC was altered.
If you intend to use Thunderbolt connectivity, it is strongly recommended that you Connect only your Thunderbolt peripherals; never lend them to anybody; avoid leaving your system unattended while powered on, even when screen-locked; avoid leaving your Thunderbolt peripherals unattended; ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays; consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).
He developed something called an “evil maid attack,” referring to an attacker who gets physical access to a PC in a hotel room, for instance. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenberg told Wired. “All of this can be done in under five minutes.”
The attack only requires about $400 worth of gear, including an SPI programmer and $200 Thunderbolt peripheral. The whole thing could be built into a single small device. “Three-letter agencies would have no problem miniaturizing this,” Ruytenberg said.
Intel recently created a Thunderbolt security system called Kernel Direct Memory Access (DMA) Protection that would stop Ruytenberg’s Thunderspy attack. However, that protection is only available on computers made in 2019 and later, so it’s lacking in any models manufactured before that. Also, many PCs manufactured in 2019 and later from Dell, HP, and Lenovo aren’t protected, either. This vulnerability might explain why Microsoft didn’t include Thunderbolt in its Surface laptops.
Intel just released a blog post giving its perspective on the issue.
Apple computers running macOS are unaffected by the vulnerability unless you’re running Boot Camp, according to Ruytenberg.
The researchers disclosed the vulnerabilities to Intel on February 10th, 2020, and Apple on April 17th. To find out if you’re vulnerable, there is a verification tool called Spycheck. To protect yourself, you should “avoid leaving your system unattended while powered on, even if screen-locked,” Ruytenberg wrote, avoid using sleep mode and ensure the physical security of your Thunderbolt peripherals.