A new threat has been found with which attackers can steal data from Thunderbolt-equipped PCs or Linux computers, even if the computer is locked and the data encrypted. This is what the security researcher Björn Ruytenberg said. According to Björn, using a simple technique called “Thunderspy,” anyone who has physical access to your PC can steal your data in just five minutes with a screwdriver and “easily portable hardware,”
As you know, Thunderbolt is an extremely fast medium of data transfer as it has direct access to your PC’s memory which leads to a number of vulnerabilities. Earlier, Researchers thought those weaknesses of Thunderbolt that could be mitigated by disallowing access to untrusted devices or disabling Thunderbolt altogether but allowing DisplayPort and USB-C access.
However, Björn’s method can steal data even if those settings are enabled by changing the firmware that controls the Thunderbolt port, allowing any device to access it. In this way, the actual user of the PC would never know that his PC was altered.
He developed something called an “evil maid attack” in reference to an attacker who gets physical access to a PC in a hotel room, for instance. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenberg told Wired. “All of this can be done in under five minutes.”
As from Ruytenberg, this attack would require only about $400 worth of gear, including an SPI programmer and $200 Thunderbolt peripheral. The whole thing could be built into a single small device. “Three-letter agencies would have no problem miniaturizing this,” Ruytenberg said.
Well, there is a solution that Intel has already called Kernel Direct Memory Access Protection that would stop Ruytenberg’s Thunderspy attack. However, the sad part is, this protection is only available on computers made in 2019 and later. So, prior models are still vulnerable to such attacks. In addition, many PCs manufactured in 2019 and later from Dell, HP, and Lenovo aren’t protected, either.
As for Apple users, Ruytenberg confirmed that macOS is safe from this attack until and unless they are running Boot Camp. The researchers disclosed the vulnerabilities to Intel on February 10th, 2020, and to Apple on April 17th. They also created a tool called Spycheck to let you find whether you are vulnerable to this threat or not.
To protect yourself, you should “avoid leaving your system unattended while powered on, even if the screen locked,” Ruytenberg wrote, avoid using sleep mode and ensure the physical security of your Thunderbolt peripherals.