Unfixable Thunderbolt flaws Thunderspy allow PCs to be Unlocked in 5 minutes
New protections have been enabled on new Thunderbolt devices, but these fixes won't impact existing PCs
Published: 11th May 2020 | Source: Thunderspy |
The Thunderbolt flaw Thunderspy allow PCs to be Unlocked in 5 minutes
In his paper, Breaking Thunderbolt Protocol Security: Vulnerability Report, these vulnerabilities are detailed, revealing an attack method known as "Thunderspy", which can affect almost all devices with Thunderbolt technology. While these flaws require physical access to exploit, these flaws are nonetheless a serious concern for Intel and its hardware partners.
As a PCIe-based standard, Thunderbolt devices can achieve Direct Memory Access (DMA), something which could be used as an attack vector if exploited. In 2019, Intel added additional protections in the form of Kernel Direct Memory Access Protection (KDMAP), but these protections have arrived too late for pre-2019 devices and were not implemented by many PC manufacturers in 2019. Unfortunately, KDMAP only provides partial protection from Thunderspy.
With Thunderspy, Björn has uncovered "nine practical exploitation scenarios" for Thunderbolt 1, 2 and 3. This means that all Thunderbolt devices which were released between 2011 and 2020 are vulnerable. Worse still, these vulnerabilities are likely to impact future Thunderbolt-based standards like USB4 and Thunderbolt 4, requiring a silicon redesign.
Below is a summary of Thunderspy, as taken from thunderspy.io, a website dedicated to the vulnerability;
Thunderbolt is a high-bandwidth interconnect promoted by Intel and included in laptops, desktops, and other systems. Being PCIe-based, Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O. In an evil maid DMA attack, where adversaries obtain brief physical access to the victim system, Thunderbolt has been shown to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory. In response, Intel introduced Security Levels, a security architecture designed to enable users to authorize trusted Thunderbolt devices only. To further strengthen device authentication, the system is said to provide “cryptographic authentication of connections” to prevent devices from spoofing user-authorized devices.
We present Thunderspy, a series of attacks that break all primary security claims for Thunderbolt 1, 2, and 3. So far, our research has found the following vulnerabilities:
- - Inadequate firmware verification schemes
- - Weak device authentication scheme
- - Use of unauthenticated device metadata
- - Downgrade attack using backwards compatibility
- - Use of unauthenticated controller configurations
- - SPI flash interface deficiencies
- - No Thunderbolt security on Boot Camp
These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.
All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign. Users are therefore strongly encouraged to determine whether they are affected using Spycheck, a free and open-source tool we have developed that verifies whether their systems are vulnerable to Thunderspy. If it is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.