Thunderspy (security vulnerability)

Last updated

Thunderspy
Thunderspy-logo.png
A logo created for the vulnerability, featuring an image of a spy
CVE identifier(s) CVE- 2020-????
Date discoveredMay 2020;2 months ago (2020-05)
Date patched2019 via Kernel DMA Protection
DiscovererBjörn Ruytenberg
Affected hardwareComputers manufactured before 2019, and some after that, having the Intel Thunderbolt port. [1]
Website thunderspy.io

Thunderspy is a type of security vulnerability, based on the Intel Thunderbolt port, first reported publicly on 10 May 2020, that can result in an evil maid (ie, attacker of an unattended device) attack gaining full access to a computer's information in about five minutes, and may affect millions of Apple, Linux and Windows computers, as well as any computers manufactured before 2019, and some after that. [1] [2] [3] [4] [5] [6] [7] [8] According to Björn Ruytenberg. the discoverer of the vulnerability, "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop. All of this can be done in under five minutes." [1]

Contents

History

The Thunderspy security vulnerabilities were first publicly reported by Björn Ruytenberg of Eindhoven University of Technology in the Netherlands on 10 May 2020. [9] Thunderspy is similar to Thunderclap, [10] [11] another security vulnerability, reported in 2019, that also involves access to computer files through the Thunderbolt port. [8]

Impact

The security vulnerability affects millions of Apple, Linux and Windows computers, as well as all computers manufactured before 2019, and some after that. [1] [3] [4] However, this impact is restricted mainly to how precise a bad actor would have to be to execute the attack. Physical access to a machine with a vulnerable Thunderbolt controller is necessary, as well as a writable ROM chip for the Thunderbolt controller's firmware. [4] Since ROM chips can come in a BGA format, this isn't always possible.[ citation needed ] Additionally, part of Thunderspy, specifically the portion involving re-writing the firmware of the controller, requires the device to be in sleep, [4] or at least in some sort of powered-on state, to be effective. [12] Since some business machines feature intrusion detection features that cause the machine to power down the moment the back cover is removed, this attack is almost impossible on secured systems.[ citation needed ]

Due to the nature of attacks that require extended physical access to hardware, it's unlikely the attack will affect users outside of a business or government environment. [12] [13]

Mitigation

The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether. [1] However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines. [14] Intel claims enabling such features would substantially restrict the effectiveness of the attack. [15] Microsoft's official security recommendations recommend disabling sleep mode while using BitLocker [16] . Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data.

Related Research Articles

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a portmanteau of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Privilege escalation process to gain control of computer privileges that are not allowed to a user or application by default

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Wireless security prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP is an old IEEE 802.11 standard from 1997, which was superseded in 2003 by WPA, or Wi-Fi Protected Access. WPA was a quick alternative to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.1X.

Trusted Platform Module international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

BitLocker disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including Hyperthreading, Turbo Boost, VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro brand was launched, it was identified primarily with AMT, thus some journalists still consider AMT to be the essence of vPro.

Intel Active Management Technology technology by Intel

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a separate microprocessor not exposed to the user, in order to monitor, maintain, update, upgrade, and repair them. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Thunderbolt is the brand name of a hardware interface developed by Intel that allows the connection of external peripherals to a computer. Thunderbolt 1 and 2 use the same connector as Mini DisplayPort (MDP), whereas Thunderbolt 3 re-uses the USB-C connector from USB. It was initially developed and marketed under the name Light Peak, and first sold as part of an end user product on 24 February 2011.

A hardware restriction is content protection enforced by electronic components. The hardware restriction scheme may complement a digital rights management system implemented in software. Some examples of hardware restriction information appliances are video game consoles, smartphones, tablet computers, Macintosh computers and personal computers that implement secure boot.

A DMA attack is a type of side channel attack in computer security, in which an attacker can penetrate a computer or other device, by exploiting the presence of high-speed expansion ports that permit direct memory access (DMA).

Intel Management Engine firmware and software that runs on all modern Intel CPUs at a higher level than user-facing operating system

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

Meltdown (security vulnerability) Microprocessor security vulnerability

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

Spectre (security vulnerability) processor security vulnerability

Spectre is a vulnerability that affects modern microprocessors that perform branch prediction. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

Evil maid attack Type of computer security breach

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

Ang Cui American security researcher

Ang Cui is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.

Microarchitectural Data Sampling CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

BlueKeep Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

References

  1. 1 2 3 4 5 Greenberg, Andy (10 May 2020). "Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking - The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019". Wired . Retrieved 11 May 2020.
  2. Porter, Jon (11 May 2020). "Thunderbolt flaw allows access to a PC's data in minutes - Affects all Thunderbolt-enabled PCs manufactured before 2019, and some after that". The Verge . Retrieved 11 May 2020.
  3. 1 2 Doffman, Zak (11 May 2020). "Intel Confirms Critical New Security Problem For Windows Users". Forbes . Retrieved 11 May 2020.
  4. 1 2 3 4 Ruytenberg, Björn (2020). "Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security". Thunderspy.io. Retrieved 11 May 2020.
  5. Kovacs, Eduard (11 May 2020). "Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks". SecurityWeek.com. Retrieved 11 May 2020.
  6. O'Donnell, Lindsey (11 May 2020). "Millions of Thunderbolt-Equipped Devices Open to 'ThunderSpy' Attack". ThreatPost.com. Retrieved 11 May 2020.
  7. Wyciślik-Wilson, Mark (11 May 2020). "Thunderspy vulnerability in Thunderbolt 3 allows hackers to steal files from Windows and Linux machines". BetaNews.com. Retrieved 11 May 2020.
  8. 1 2 Gorey, Colm (11 May 2020). "Thunderspy: What you need to know about unpatchable flaw in older PCs". SiliconRepublic.com. Retrieved 12 May 2020.
  9. Ruytenberg, Björn (17 April 2020). "Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020" (PDF). Thunderspy.io. Retrieved 11 May 2020.
  10. Staff (26 February 2019). "Thunderclap: Modern computers are vulnerable to malicious peripheral devices" . Retrieved 12 May 2020.
  11. Gartenberg, Chaim (27 February 2019). "'Thunderclap' vulnerability could leave Thunderbolt computers open to attacks - Remember: don't just plug random stuff into your computer". The Verge . Retrieved 12 May 2020.
  12. 1 2 Grey, Mishka (13 May 2020). "7 Thunderbolt Vulnerabilities Affect Millions of Devices: 'Thunderspy' Allows Physical Hacking in 5 Minutes - Do you own a Thunderbolt equipped laptop, and have bought it after 2011? Well, we've news for YOU. 7 newly discovered Intel Thunderbolt vulnerabilities have exposed your device to hackers. Learn what to do?". HackReports.com. Retrieved 18 May 2020.
  13. codeHusky (11 May 2020). "Video (11:01) - Thunderspy is nothing to worry about - Here's why". YouTube . Retrieved 12 May 2020.
  14. Staff (26 March 2019). "Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) - Microsoft 365 Security". Microsoft Docs. Retrieved 17 May 2020.
  15. Jerry, Bryant (10 May 2020). "More Information on Thunderbolt(TM) Security - Technology@Intel" . Retrieved 17 May 2020.
  16. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-security-faq#what-are-the-implications-of-using-the-sleep-or-hibernate-power-management-options