By John P. Mello Jr.
May 12, 2020 10:32 AM PT

A Dutch researcher on Sunday revealed a novel way to crack into a personal computer through a Thunderbolt port.

The method, dubbed “Thunderspy” by researcher Björn Ruytenberg of Eindhoven University of Technology in the Netherlands, sidesteps the login screen of a sleeping computer, as well as its hard disk encryption, to access all its data.

“Thunderspy is stealth, meaning that you cannot find any traces of the attack,” Ruytenberg wrote in a post on the Thunderspy website. “It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using.”

The attack method works even if best security practices are followed by locking or suspending a computer when leaving briefly, and if a system administrator has set up a device with Secure Boot, strong BIOS and operating system account passwords, as well as enabling full disk encryption, he pointed out. “All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.”

‘Evil Maid’ Attack

In security parlance, Thunderspy is used to launch an “Evil Maid” attack. Such attacks require that an adversary have physical access to a device.

In the case of Thunderspy, an attacker who has access to a machine can create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and obtain PCIe connectivity to perform Direct Memory Access attacks.

An attacker also can perform unauthenticated overrides of security level configurations, including the ability to disable Thunderbolt security entirely and block all future firmware updates.

If Thunderbolt connectivity is turned off, Thunderspy can be used to turn it back on without a user’s knowledge.

All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable, Ruytenberg wrote — and some systems providing kernel DMA protection, shipping since 2019, are partially vulnerable.

“Computers running macOS are not vulnerable to the most concerning of the attacks — the Direct Memory Access or ‘DMA’ that expose all data in memory — because of the macOS kernel’s Input/Output Memory Management Unit,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company located in Scottsdale, Arizona.

However, any Apple computers that have been reconfigured purposefully to boot directly to other operating systems, such as Microsoft Windows or Linux, are vulnerable to Thunderspy, he told TechNewsWorld.

“Any Windows or Linux virtual machines running on top of macOS with hypervisor software, such as Parallels or VMWare Fusion, would not be exposed to the vulnerability unless Thunderbolt peripherals are connected directly to the virtual machines themselves,” Clements said.

Thunderspy vulnerabilities cannot be fixed in software. They will impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign, Ruytenberg noted.

Users should download and run a free, open source program he developed, called “Spycheck,” to find out if a system is vulnerable to Thunderspy, he advised.

If a system is vulnerable, the software, which is available at the Thunderspy website, can guide users on how to protect their systems from the Evil Maid attack.

‘Movie-Level Attacks’

“Thunderspy makes ‘movie-level attacks’ possible,” observed Aviram Jenik, CEO of Beyond Security, a developer of automated security testing technologies located in Cupertino, California.

“Remember those scenes where the hacker plugs in a tiny device into a computer port and in a couple of seconds gains full access to the machine? This is now possible,” he told TechNewsWorld.

To exploit Thunderspy, Jenik explained, he would need just a few seconds of physical access to a computer and a small device to install malware that would give him remote access to a target’s computer; do a data dump of its contents, including credentials for accounts; and install a Trojan programmed to ask for further instructions later.

Thunderspy also can be used to impersonate accounts, said Alex Useche, a senior consultant with nVisium, a Falls Church, Virginia-based application security provider.

Users often don’t log out of programs or systems. Once logged in, their accounts remain live.

“Outlook rarely require users to re-enter their credentials,” Useche told TechNewsWorld. “The impact is much more significant if your laptop logs in to the internal network automatically without requiring additional authentication. Then the attackers have access to your company’s data.”

Sensational but Unlikely

Most consumers shouldn’t be too concerned about Thunderspy, maintained Keith McCammon, chief security officer of Red Canary, a cloud-based security services provider located in Denver.

“Consumers have no more reason to fear Thunderspy or other Evil Maid attacks now than they did last month, or last year,” he told TechNewsWorld. “The Evil Maid scenario is a very real concern for a very small percentage of individuals who handle data of extraordinary value or sensitivity. For everyone else, it is sensational but highly unlikely.”

Still, some consumers might feel a little less secure when they take their laptops on the road, Useche said.

“Consumers who misplace and lose their laptops at a public place may often find comfort in the fact that their laptops are at least secured by a password,” he noted. “Thunderspy throws that protection out the window. This is especially true in cases where the only password needed to access a user’s files is the Windows password.”

Super Glue Solution

International travelers may feel a little less secure, too.

“If employees are frequently on the road, they are constantly handing their phones and laptops over to border agents,” observed Hank Schless, senior manager for security solutions at Lookout, a San Francisco-based provider of mobile phishing solutions.

“Sometimes those devices are taken out of sight by an agent and returned in what seems like the same state, but in the case of a mobile phone or tablet it could have easily been jailbroken and had spyware loaded on without the user’s knowledge,” he told TechNewsWorld.

Consumers worried about Thunderspy should disable all ports that aren’t used, Jenik recommended.

“If you do not use Thunderbolt, give serious consideration to blocking it physically by using Super Glue,” he suggested.

Enterprises need to be concerned about Thunderspy, Jenik continued.

“The Enterprise often assumes that the end user does not have full control over the desktop,” he said.

“For example, many enterprises control what can be copied to a USB drive to avoid confidential data leakage, or enforce certain policies by not allowing the user to be the administrator on the machine he is using,” Jenik noted.

“This attack allows someone with physical access to have full control over a machine,” he said, “which means any enterprise user can now gain full access and circumvent any policy rules they wish to circumvent.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.