Dutch security researcher exposes Thunderbolt flaw in most pre-2019 PCs

The Thunderspy exploit shows Thunderbolt’s greatest strength is also its greatest weakness.

Most users' security concerns focus on networks and applications, but even after 10 years of hardware-level threat mitigation, the good old "evil maid" – jargon for someone with malicious intent who has physical access to an unattended computer –  continues to pose a threat. Case in point: a recently published Thunderbolt exploit dubbed "Thunderspy."

Dutch security researcher Björn Ruytenberg has shown that Thunderbolt 3 devices are open for exploitation by attackers who have a few minutes alone with their target machines and are equipped with inexpensive, readily available equipment.

Ruytenberg's work is notable because it shows that despite all the work that Intel has done to prevent Thunderbolt devices from connecting without user authorization  and the resulting promises of security it has made to PC users, a whole generation of PCs is open to this exploit.

Anti-tampering efforts have a long history

Over the years, hardware and software manufacturers have gone to great lengths to protect desktops and laptops from physical intrusion. A range of methods have contributed to reducing the chance that physical access to a device enables access to the contents of its storage. These include BIOS passwords, verification of BIOS integrity on boot (such as Intel BootGuard) and full disk encryption.

In the past few years,though, there have been a number of demonstrations that show how existing protections can be defeated or circumvented. Many of those rely on preventable vulnerabilities such as errors in firmware, configuration or faulty drivers. Ruytenberg, a developer and a Master of Science degree candidate at Eindhoven University of Technology and Radboud Univeristy, has shown that even in the absence of all of those, a system can still be open for exploitation – if it features a Thunderbolt 3 port.

Thunderbolt is Intel's high-speed interface, developed together with Apple as a successor to FireWire and based on the PCI-express interface. Thunderbolt benefits from direct memory access (DMA), enabling higher speeds than any other external interface, and currently delivers up to 40 gigabits/s using a maximum of four PCI-e lanes.

Here's how Thunderspy works

In a technical summary and video, Ruytenberg shows how to use a Thunderbolt device to bypass the Windows lockscreen on a vulnerable laptop, allowing access to all data and applications. The entire attack takes about two minutes and requires about US$400 worth of equipment. This includes physically opening and closing the laptop, although this is only one of two methods described. The other one only requires access to a Thunderbolt device used on the target laptop.

In both cases, the crucial part is not so much bypassing the lockscreen (which is done using an exploit) but gaining access to data in temporary memory in the first place --  possible thanks to Thunderbolt's direct memory access.

tb3 controller architecture alpine ridge Björn Ruytenberg

Thunderbolt controller hardware architecture, as experimentally derived by Björn Ruytenberg.

The first approach, which requires opening the case and using a so-called SPI Flash reader/writer, shows how to lower the Thunderbolt port's security level (SL) to zero, effectively allowing interfacing with any Thunderbolt device. The second requires copying a Thunderbolt device's unique UUID and identification code into the attack device – if a security level higher than 1 has been set on the target device. If not, merely copying the device's UUID suffices.

With either method, the attacker can bypass the Thunderbolt security-level defense, and once that has been accomplished, they can use a prepared Thunderbolt device to run malicious software directly in the memory of the target device. In Ruytenberg's demonstration, this involved bypassing the Windows lockscreen, after which all of the device's contents are accessible. An attacker can examine, copy or change files to their heart's delight, install a backdoor or other malware, and leave without a trace showing on the affected device. Hence the name of the exploit: Thunderspy.

From Thunderclap to Thunderspy

Ruytenberg is not the first to demonstrate how the high level of system access Thunderbolt provides can be exploited. Early last year a team of researchers documented a series of exploits called Thunderclap, which similarly demonstrated how an attacker could gain access to the contents of system memory via a Thunderbolt peripheral. The vulnerabilities demonstrated in Thunderclap however were mitigated by Thunderbolt's security levels, part of the standard since version 2.

Ruytenberg's exploit however completely circumvents these security levels  – as mentioned above, by either resetting them to 0 or through cloning a device UUID and the 64-bit code of a trusted device into an attack device. Even though the latter method requires access to a Thunderbolt device that has been used with the target computer, "the information is stored in plain-text in the device," says Ruytenberg; this makes it easy to find and copy. Moreover, the exploit is transparent to the end user – i.e., unless you specifically look for it, you probably will not notice your laptop's Thunderbolt settings have been tampered with.

There is a fix – or is there?

Even though it's notable that device UUIDs as well as the hashes for higher security levels can be tampered with, the most remarkable thing about Ruytenberg's demonstration is not how easy it is to circumvent the Thunderbolt security levels – it's that this hack is still possible at all.

The vulnerability created by hardware with direct memory access is nothing new – in fact, it was addressed as far back as 2009 by Intel with the introduction of the IOMMU, or Input/Output Memory Management Unit, which prevents devices from accessing memory other than an assigned segment. Even if software support for this feature was initially lagging – possibly due to the high impact on performance – by now it is a standard staple of any secure system and essential for secure virtualization.

The IOMMU, however, originally did not extend to Thunderbolt, until the Thunderclap exploit – after which Intel duly corrected the omission with the so-called Kernel DMA Protection feature, which extends DMA boundaries to Thunderbolt devices. With Kernel DMA Protection in place, Thunderbolt vulnerabilities are limited to the same type of exploits as so-called "BadUSB" threats -- devices with malicious code that can modify software on the host computer. BadUSB exploits, disclosed in 2014 by Karsten Nohl and Jakob Lell, remain possible but complex and easier to counter through standard endpoint security.

Crucially, Kernel DMA Protection requires operating system support – which Microsoft duly announced in Windows 10 version 1803, and Linux effectively included it from version 5 – as well as support in the system's BIOS.

The last part is where Ruytenberg's exploit really hits home: the various OEM device manufacturers appear to have been less than diligent in implementing the requisite microcode in their systems' BIOS's. Ruytenberg told us that even systems manufactured as late as early 2020 could be exploited. Only a handful had Kernel DMA Protection enabled.

For Macs, Bootcamp users are at risk

Apple's approach to this issue is in character; in MacOS most of the Thunderspy vulnerabilities are not an issue. Although the Apple OS's whitelist of allowed devices can be circumvented through manipulating the device ID, MacOS also has a version of Kernel DMA Protection, preventing devices from accessing memory outside of their assigned region and effectively limiting the damage an attacker might do. So far so good, but any user using Bootcamp is at risk, as Bootcamp does not implement the Thunderbolt security levels at all, nor is Kernel DMA Protection supported under other operating systems such as Windows and Linux.

While the Thunderspy exploit requires "about 400 dollars in hardware," according to Ruytenberg, he adds that  "with about 10,000 dollars you could miniaturize this." While a substantial sum, this is hardly out of reach for a criminal organization making a concerted effort to obtain sensitive data from, say, hotel guests. "It is relatively simple to do," Ruytenberg notes.

This vulnerability, however, is not going to affect everyone. Most of all, any device without a Thunderbolt port is perfectly safe from this particular attack – which covers the majority of systems sold so far, as it is a high-end feature found only on expensive systems. Anyone who does have a Thunderbolt-equipped system should definitely check whether their system is vulnerable (Ruytenberg provides tools to do so at the Thunderspy site).

Of recent systems with Intel's 10th generation processors, those based on Ice Lake models appear more likely to be safe than those based on the older but more powerful Comet Lake architecture. This is because Ice Lake has most of the Thunderbolt logic integrated into the CPU itself, with the controller not appearing to contain security-related information, according to Ruytenberg. This might be a topic for future research.

How to mitigate Thunderspy

Those with an affected system can check for a BIOS update and should make sure they are running the latest available version of their operating system. If Kernel DMA Protection cannot be enabled, it depends on the user how far to go to take defensive measures. Not bundling trusted accessories with the system should be considered, as well as changing the default security level to one where every device needs to be re-authenticated on use. Preventing the case from being easily opened would be another option. The safest course would be to disable Thunderbolt altogether in the BIOS.

Even with Kernel DMA access, Thunderbolt poses an inherent risk, says Ruytenberg – simply because of the characteristic that is integral to the standard. Its direct memory access delivers its greatest strength of top-notch performance, but it is also the vector for its greatest weakness, potentially allowing access to parts of memory that should be off-limits. "A weak driver and some specialist but off-the-shelf hardware may be all it takes," says Ruytenberg.

This is concerning because Thunderbolt is becoming a lot more ubiquitous these days. Not only is it an integral part of "Ice Lake," but its role will grow as Intel ramps up production for its 10nm process node. Moreover, USB 4 is essentially Thunderbolt 3 with bells and whistles: It will support a more up-to-date video interface, but the basis is identical. While slower, USB 3 is not vulnerable to Thunderspy, as it features neither security levels nor the direct memory access to necessitate those. As mentioned, it is of course vulnerable to Bad USB attacks.

Hardware makers respond

Intel, which was approached by Ruytenberg before he publicised his findings earlier this month, acknowledged in a blog that while the underlying vulnerability was remedied in operating system releases last year, Ruytenberg "demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled."

In a statement, Dell said that it is aware of Thunderspy. "Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled. This offers protection from 'Thunderspy' per Intel guidance," it said. "Windows-based Dell platforms have Kernel DMA Protection support enabled by default (Windows 10 version 1803 onwards). Since this attack requires physical access, we recommend customers follow security best practices and prevent unauthorized physical access to devices."

HP's statement was less specific, and did not mention Kernel DMA Protection support: "We constantly monitor the security landscape and value work that helps us identify new potential threats. Our existing security bulletin provides home PC mitigations for open case DMA pre-boot type attacks. It's important to remember that such attacks require physical access to the device. The security of our customers is always a top priority and we always encourage people to keep their systems up to date."

Lenovo had a similar response: "Lenovo integrates the latest Intel technologies as they become available. Lenovo is assessing Thunderspy with our partners and will communicate with customers as appropriate. It’s important to remember this attack requires physical access, so customers should follow best security practices including the use of only trusted peripherals and preventing unauthorized physical access to computers."

Responses from Acer and Asus were not immediately available.

Copyright © 2020 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon