Thunderspy

Last updated

Thunderspy
Thunderspy-logo.png
A logo created for the vulnerability, featuring an image of a spy
CVE identifier(s) CVE- 2020-????
Date discoveredMay 2020;4 years ago (2020-05)
Date patched2019 via Kernel DMA Protection
DiscovererBjörn Ruytenberg
Affected hardwareComputers manufactured before 2019, and some after that, having the Intel Thunderbolt 3 (and below) port. [1]
Website thunderspy.io

Thunderspy is a type of security vulnerability, based on the Intel Thunderbolt 3 port, first reported publicly on 10 May 2020, that can result in an evil maid (i.e., attacker of an unattended device) attack gaining full access to a computer's information in about five minutes, and may affect millions of Apple, Linux and Windows computers, as well as any computers manufactured before 2019, and some after that. [1] [2] [3] [4] [5] [6] [7] [8]

Contents

According to Björn Ruytenberg, the discoverer of the vulnerability, "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop. All of this can be done in under five minutes." [1] The malicious firmware is used to clone device identities which makes classical DMA attack possible. [4]

History

The Thunderspy security vulnerabilities were first publicly reported by Björn Ruytenberg of Eindhoven University of Technology in the Netherlands on 10 May 2020. [9] Thunderspy is similar to Thunderclap, [10] [11] another security vulnerability, reported in 2019, that also involves access to computer files through the Thunderbolt port. [8]

Impact

The security vulnerability affects millions of Apple, Linux and Windows computers, as well as all computers manufactured before 2019, and some after that. [1] [3] [4] However, this impact is restricted mainly to how precise a bad actor would have to be to execute the attack. Physical access to a machine with a vulnerable Thunderbolt controller is necessary, as well as a writable ROM chip for the Thunderbolt controller's firmware. [4] Additionally, part of Thunderspy, specifically the portion involving re-writing the firmware of the controller, requires the device to be in sleep, [4] or at least in some sort of powered-on state, to be effective. [12] Machines that force power-off when the case is open may assist in resisting this attack to the extent that the feature (switch) itself resists tampering.

Due to the nature of attacks that require extended physical access to hardware, it's unlikely the attack will affect users outside of a business or government environment. [12] [13]

Mitigation

The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether. [1] However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines. [14] Intel claims enabling such features would substantially restrict the effectiveness of the attack. [15] Microsoft's official security recommendations recommend disabling sleep mode while using BitLocker. [16] Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data.

Related Research Articles

<span class="mw-page-title-main">BIOS</span> Firmware for hardware initialization and OS runtime services

In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The firmware comes pre-installed on the computer's motherboard.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.

<span class="mw-page-title-main">Apple–Intel architecture</span> Unofficial name used for Macintosh models that use Intel x86 processors

The Apple–Intel architecture, or Mactel, is an unofficial name used for Macintosh personal computers developed and manufactured by Apple Inc. that use Intel x86 processors, rather than the PowerPC and Motorola 68000 ("68k") series processors used in their predecessors or the ARM-based Apple silicon SoCs used in their successors. As Apple changed the architecture of its products, they changed the firmware from the Open Firmware used on PowerPC-based Macs to the Intel-designed Extensible Firmware Interface (EFI). With the change in processor architecture to x86, Macs gained the ability to boot into x86-native operating systems, while Intel VT-x brought near-native virtualization with macOS as the host OS.

<span class="mw-page-title-main">BitLocker</span> Disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

Insyde Software is a company that specializes in UEFI system firmware and engineering support services, primarily for OEM and ODM computer and component device manufacturers. They are listed on the Gre Tai Market of Taiwan and headquartered in Taipei, with offices in Westborough, Massachusetts, and Portland, Oregon.

<span class="mw-page-title-main">Intel vPro</span> Umbrella marketing term by Intel

Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro brand was launched, it was identified primarily with AMT, thus some journalists still consider AMT to be the essence of vPro.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Thunderbolt is the brand name of a hardware interface for the connection of external peripherals to a computer. It was developed by Intel in collaboration with Apple. It was initially marketed under the name Light Peak, and first sold as part of an end-user product on 24 February 2011.

A DMA attack is a type of side channel attack in computer security, in which an attacker can penetrate a computer or other device, by exploiting the presence of high-speed expansion ports that permit direct memory access (DMA).

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original speculative execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original speculative execution CPU vulnerabilities, which involve microarchitectural side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

<span class="mw-page-title-main">Evil maid attack</span> Type of computer security breach

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

<span class="mw-page-title-main">Ang Cui</span> American computer scientist

Ang Cui is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

Transient execution CPU vulnerabilities are vulnerabilities in which instructions, most often optimized using speculative execution, are executed temporarily by a microprocessor, without committing their results due to a misprediction or error, resulting in leaking secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.

References

  1. 1 2 3 4 5 Greenberg, Andy (10 May 2020). "Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking - The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019". Wired . Archived from the original on 11 May 2020. Retrieved 11 May 2020.
  2. Porter, Jon (11 May 2020). "Thunderbolt flaw allows access to a PC's data in minutes - Affects all Thunderbolt-enabled PCs manufactured before 2019, and some after that". The Verge . Archived from the original on 11 May 2020. Retrieved 11 May 2020.
  3. 1 2 Doffman, Zak (11 May 2020). "Intel Confirms Critical New Security Problem For Windows Users". Forbes . Archived from the original on 12 May 2020. Retrieved 11 May 2020.
  4. 1 2 3 4 5 Ruytenberg, Björn (2020). "Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security". Thunderspy.io. Archived from the original on 11 May 2020. Retrieved 11 May 2020.
  5. Kovacs, Eduard (11 May 2020). "Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks". SecurityWeek.com. Retrieved 11 May 2020.
  6. O'Donnell, Lindsey (11 May 2020). "Millions of Thunderbolt-Equipped Devices Open to 'ThunderSpy' Attack". ThreatPost.com. Archived from the original on 11 May 2020. Retrieved 11 May 2020.
  7. Wyciślik-Wilson, Sofia (11 May 2020). "Thunderspy vulnerability in Thunderbolt 3 allows hackers to steal files from Windows and Linux machines". BetaNews.com. Archived from the original on 11 May 2020. Retrieved 11 May 2020.
  8. 1 2 Gorey, Colm (11 May 2020). "Thunderspy: What you need to know about unpatchable flaw in older PCs". SiliconRepublic.com. Archived from the original on 18 May 2020. Retrieved 12 May 2020.
  9. Ruytenberg, Björn (17 April 2020). "Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020" (PDF). Thunderspy.io. Archived (PDF) from the original on 11 May 2020. Retrieved 11 May 2020.
  10. Staff (26 February 2019). "Thunderclap: Modern computers are vulnerable to malicious peripheral devices" . Retrieved 12 May 2020.
  11. Gartenberg, Chaim (27 February 2019). "'Thunderclap' vulnerability could leave Thunderbolt computers open to attacks - Remember: don't just plug random stuff into your computer". The Verge . Retrieved 12 May 2020.
  12. 1 2 Grey, Mishka (13 May 2020). "7 Thunderbolt Vulnerabilities Affect Millions of Devices: 'Thunderspy' Allows Physical Hacking in 5 Minutes - Do you own a Thunderbolt equipped laptop, and have bought it after 2011? Well, we've news for YOU. 7 newly discovered Intel Thunderbolt vulnerabilities have exposed your device to hackers. Learn what to do?". HackReports.com. Archived from the original on 4 August 2020. Retrieved 18 May 2020.
  13. codeHusky (11 May 2020). "Video (11:01) - Thunderspy is nothing to worry about - Here's why". YouTube . Archived from the original on 19 June 2020. Retrieved 12 May 2020.
  14. Staff (26 March 2019). "Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) - Microsoft 365 Security". Microsoft Docs. Archived from the original on 22 April 2020. Retrieved 17 May 2020.
  15. Jerry, Bryant (10 May 2020). "More Information on Thunderbolt(TM) Security - Technology@Intel". Archived from the original on 15 May 2020. Retrieved 17 May 2020.
  16. "BitLocker Security FAQ (Windows 10) - Windows security".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.