ESET publishes a guide for navigating the risks from vulnerabilities in the Thunderbolt interface

BRATISLAVA – ESET has published a comprehensive overview of risks stemming from Thunderspy, a series of vulnerabilities in Thunderbolt technology, and possible protections. Via Thunderspy, an attacker can change – possibly even remove – the security measures of the Thunderbolt interface on a computer. As a result, an attacker with physical access to the target computer can steal data from it, even if full disk encryption is used and the machine is locked with a password or sleeping in low-power mode.

Thunderspy was discovered by Björn Ruytenberg, a computer security researcher, in May 2020. “While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim,” points out Aryeh Goretsky, ESET Distinguished Researcher.

In his article “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe,” Goretsky briefly explains the technical background for Thunderspy but focuses primarily on practical methods to defend against it.

Thunderbolt-based attacks are very rare because they are, by their nature, highly targeted. “The fact a typical user will not get into an attacker’s crosshairs doesn’t mean everyone is safe. For many, following some of the admittedly draconian recommendations we describe in our article really makes sense,” comments Goretsky.

There are two types of attacks against the security that Thunderbolt relies on to maintain the integrity of a computer. The first is cloning the identities of Thunderbolt devices that are already trusted and allowed by the computer. The second is to permanently disable Thunderbolt security so that it cannot be re-enabled.

“The cloning attack is like thieves who steal a key and copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of bricking a chip. In this case, permanently disabling Thunderbolt’s security levels and write-protecting the changes so they cannot be undone,” explains Goretsky.

Neither type of attack is done simply, since actual in-person access to the target computer is required, along with the tools to disassemble the computer, attach a logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. Such attacks are a type of “evil maid attack,” implying the scenario of the attacker entering a hotel room while the victim is not present to conduct the attack.

The necessity to physically tamper with the computer limits the range of potential victims to high-value targets. Some may be pursued by nation-state intelligence or law enforcement agencies, but also business executives, engineers, administrative personnel or even frontline employees may be targets of opportunity if the attacker has some commercial motive, such as industrial espionage. Under oppressive regimes, politicians, NGOs and journalists are also possible targets for advanced threats like Thunderspy.To defend against Thunderspy, just like any other hardware attacks requiring physical access to the system, it’s important to decide whether the goal of the defense is to make it evident that a physical attack occurred, or to protect against it.

Protection methods against Thunderspy attacks may be divided into separate categories. “First, prevent any unauthorized access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure,” summarizes Goretsky.

The article “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe” contains many practical pieces of advice on improving the security against the theft of data by Thunderspy, including one that stands out as simple yet relatively powerful.

“Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy,” recommends Goretsky.

Aside from all other security measures, users employ security software from a reputable provider that can scan the computer’s UEFI firmware, one of the locations where Thunderbolt security information is stored.

For more information, please read “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe” at WeLiveSecurity.com.