‘Thunderspy’ – not a film title, but a defect that could allow Data Theft from Encrypted Drives

‘Thunderspy’ – not a film title, but a defect that could allow Data Theft from Encrypted Drives

If an attacker has physical access to a machine, a new attack could allow access of data on a locked, password protected, & encrypted hard drive.

A small number of defects in Intel’s Thunderbolt hardware port, something present on millions of computers produced after 2011, could open the window to data theft.

Locked

A new attack threat called Thunderspy, revealed Sunday night, could make it possible for an attacker to actually bypass the login screen of a sleeping or locked Apple, Linux & Windows computer & access data.

It must be noted that whilst far-reaching, an attack would need physical access to a machine, meaning the vulnerability may not be within everyone’s threat horizon.

7 Vulnerabilities

Outlines Björn Ruytenberg, a computer science master’s student at Eindhoven University of Technology in Holland, who discovered the issues, there are a total of 7 vulnerabilities:-

  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backwards compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp

Intel

Ruytenberg did inform Intel of all of these vulnerabilities – Intel replied it was only aware of two of them – on Feb. 10. The company confirmed the researcher’s findings 1 month later, on March 10, & a further vulnerability on March 17. He let Apple know of the final vulnerability on April 17.

Producing a video that demonstrates proof,  in which Rutenberg has to unscrew the back-plate of a Thinkpad & attach a SPI programmer, & a Thunderbolt peripheral to dismantle the machine’s security settings. Ruytenberg explained further via Twitter that another attack could involve gaining access to a device, & then cloning its identity, something it is claimed would only take 5 minutes.

Stealth

Ruytenberg has explained he has identified 9 real-world scenarios in which an attacker could exploit the vulnerability to get access to a system, & says its “stealth”, meaning that you cannot find any residual traces of the attack. “If interrupted, a user may believe that something is wrong if their laptop is cracked open, if granted enough time, but the attack sounds theoretical.”

Apple Macs running macOS are only “partly affected” by Thunderspy. Much more likely is a vulnerability to an attack e.g. BadUSB, a 2014 attack that depends on a weakness in the firmware that controls how devices with USB drives operate. Retina MacBooks are not affected.

Thunderbolt

Thunderbolt, which is a proprietary connectivity standard, has had some issues. During 2019 researchers showed how, by using direct-memory access (DMA) Thunderbolt accessories are granted, an attack called Thunderclap – a number of vulnerabilities – could make a machine vulnerable.

That attack could be by a USB Type-C connector, DisplayPort connector, compromised PCI Express peripherals, plug-in card, or chip soldered to the motherboard.

Evil Maid

Ruytenberg’s attack is referred to as an ‘Evil Maid’ sort of attack, a method revealed in 2009 by Joanna Rutkowska, a Polish computer security researcher. This means a physical attack on a computing device without the user’s knowledge. Back then, Rutkowska produced a tool which showed how an attacker could use a USB tool in order to defeat full disk encryption.

This colourful name describes that attacks such as this are “plug-and-exploit,” require just a few minutes, & could be carried out by a ‘hypothetical maid’.

Kernel

Intel on Sunday does not agree that Thunderspy is a new vulnerability. It suggests the underlying vulnerability was handled in operating systems by the implementation of Kernel Direct Memory Access in 2019. The Company suggests Ruytenberg just used a “a customized peripheral device on systems that did not have these mitigations enabled.” As WIRED mentioned, not all machines has Kernel DMA present; it’s just absent on machines released before 2019.

A little involved, but one more thing for professionals to ‘take on board’.

 

SHARE ARTICLE