Unfixable Flaw Found in Thunderbolt Port that Unlocks any PC in Less Than 5 Minutes

[AleksandarK]

Dutch researcher from the Eindhoven University of Technology has found a new vulnerability in Thunderbolt port that allows attackers with physical access to unlock any PC running Windows or Linux kernel-based OS in less than 5 minutes. The researcher of the university called Björn Ruytenberg found a method which he calls Thunderspy, which can bypass the login screen of any PC. This attack requires physical access to the device, which is, of course, dangerous on its own if left with a person of knowledge. The Thunderbolt port is a fast protocol, and part of the reason why it is so fast is that it partially allows direct access to computer memory. And anything that can access memory directly is a potential vulnerability.

The Thunderspy attack relies on just that. There is a feature built into the Thunderbolt firmware called "Security Level", which disallows access to untrusted devices or even turns off Thunderbolt port altogether. This feature would make the port be a simple USB or display output. However, the researcher has found a way to alter the firmware setting of Thunderbolt control chip in a way so it allows any device to access the PC. This procedure is done without any trace and OS can not detect that there was a change. From there, the magic happens. Using an SPI (Serial Peripheral Interface) programmer with a SOP8 clip that connects the pins of the programmer device to the controller, the attacker just runs a script from there. This procedure requires around $400 worth of hardware. Intel already put some protection last year for the Thunderbolt port called Kernel Direct Memory Access Protection, but that feature isn't implemented on PCs manufactured before 2019. And even starting from 2019, not all PC manufacturers implement the feature, so there is a wide group of devices vulnerable to this unfixable attack.


You can check out the video demonstration below:

View at TechPowerUp Main Site

 

[londiste]

Physically attaching to flash chip and re-flashing firmware is pretty unfixable indeed...

Edit:
Also, article source that would be nice to link is the flaw's own site:

Thunderspy - When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

 

[stimpy88]

Bloody hell Intel!

 

[Patriot]

sop 8 chip flasher with clip is like $3 of hardware not $400, This is why microsoft said they didn't include thunderbolt on their devices, inherently insecure to have external pcie. Turns out relying on an external device to say it is secure doesn't work so well.

 

[AleksandarK]

sop 8 chip flasher with clip is like $3 of hardware not $400

It is not just the clip, it reqires other components.

 

[OneMoar]

so it requires extended physical access to the machine as well as removing the cases access panel to execute

slow news day eh ?

in other news people that have physical access to your computer can steal your data

article title is blately misleading its not 5 minutes try more like 15 minutes to get all the hardware setup probably closer to 20 if you need be fiddling with your hardware probe to get a solid connection anybody thats ever used these SOIC clips knows they are pain in the ass and depending on the board and the bios chip style you may not even have access

btw I can bypass the windows login screen by booting the pc from the windows setup disk and renaming a file witch btw requires no hardware mods no special software and in reality probably about 5 minutes


can we stop with the fear mongering please holy fuck its so easy to make the uneducated whip them selves into a panic

 

[maxitaxi96]

in other news people that have physical access to your computer can steal your data

you are right about that... But this is not about how practical it is, but the fact that it exists. It's not like suddenly physical access make data theft possible but more like it's yet another way to steal data which should not exist in the first place.

 

[Caring1]

Bloody hell Intel!

Apple.
It was a joint Intel and Apple collaboration to develop, but Apple is the main one pushing it as a standard.

 

[Valantar]

sop 8 chip flasher with clip is like $3 of hardware not $400, This is why microsoft said they didn't include thunderbolt on their devices, inherently insecure to have external pcie. Turns out relying on an external device to say it is secure doesn't work so well.

If the procedure requires disassembly of the laptop to access and reprogram a chip, the question of external PCIe is rather moot, no? Disassembling the laptop would give access to any m.2 ports, WiFi ports, etc, so getting access to PCIe that way really isn't difficult.

 

[londiste]

This list of vulnerabilities they found, copy-paste from the report:

In this report, we disclose the following vulnerabilities:

1. Inadequate firmware verification schemes.
Thunderbolt host and device controllers operate using updatable firmware stored in its SPI flash. Using this feature, Thunderbolt hardware vendors occasionally provide firmware updates online to address product issues post-release. To ensure firmware authenticity, upon writing the image to the flash, Thunderbolt controllers verify the firmware’s embedded signature against Intel’s public key stored in silicon. However, we have found authenticity is not verified at boot time, upon connecting the device, or at any later point. During our experiments, using a SPI programmer, we have written arbitrary, unsigned firmware directly onto the SPI flash. Subsequently, we have been able to verify Thunderbolt controller operation using our modified firmware.

2. Weak device authentication scheme.
As noted in Section 1, device identification comprises several strings and numerical identifiers. However, we have found none of the identifiers are linked to the Thunderbolt PHY or one another, cryptographically or otherwise.

3. Use of unauthenticated device metadata.
Thunderbolt controllers store device metadata in a firmware section referred to as Device ROM (DROM). We have found that the DROM is not cryptographically verified. Following from the first issue, this vulnerability enables constructing forged Thunderbolt device identities. In addition, when combined with the second issue, forged identities may partially or fully comprise arbitrary data. Figure 2 demonstrates a device passing authentication while presenting a forged DROM to the host.

4. Backwards compatibility.
Thunderbolt 3 host controllers support Thunderbolt 2 device connectivity, irrespective of Security Levels. Such backwards compatibility subjects Thunderbolt 3-equipped systems to vulnerabilities introduced by Thunderbolt 2 hardware.

5. Use of unauthenticated controller configurations.
In UEFI, users may choose to employ a Security Level different to the default value (SL1) as listed in Section1. In storing Security Level state, we have determined that Thunderbolt employs two state machines, with one instance being present in UEFI, and another residing in host controller firmware. However, we have found firmware configuration authenticity is not verified at boot time, upon resuming from sleep, or at any later point. In addition, we have found these states machines may be subjected to desynchronization, with controller firmware overriding UEFI state without being reflected in the latter. As such, this vulnerability subjects the Thunderbolt host controller to unauthenticated, covert overriding of Security Levels configuration.

6. SPI flash interface deficiencies.
As noted before, Thunderbolt systems rely on SPI flash to store controller firmware (vulnerability 1) and maintain their Security Level state (vulnerability 5). In our study, we have found Thunderbolt controllers lack handling hardware error conditions when interacting with flash devices. Specifically, we have determined enabling flash write protection (i) prevents changing the Security Level configuration in UEFI, again without being reflected in the latter, and (ii) prevents controller firmware from being updated, without such failures being reflected in Thunderbolt firmware update applications. As such, when combined with the fifth issue, this vulnerability allows to covertly, and permanently, disable Thunderbolt security and block all future firmware updates.

7. No Thunderbolt security on Boot Camp.
Apple supports running Windows on Mac systems using the Boot Camp utility [2]. Aside from Windows, this utility may also be used to install Linux. When running either operating system, Mac UEFI disables all Thunderbolt security by employing the Security Level “None” (SL0). As such, this vulnerability subjects the Mac system to trivial Thunderbolt-based DMA attacks.

 

[Imouto]

I think we are watching the fall of an empire. Intel must thank having a diversified portfolio and having bought half the industry because their traditional business is in absolute decadence.

 

[hat]

Hmm, so if you have physical access to a computer and specialized hardware, you can do bad things. Whodathunkit?

 

[londiste]

I read through the rest of the report. It all boils down to being able to reflash the Thunderbolt firmware. Once you are able to do that, there are several attack vectors.
The real problem seems to be that there simply are not enough checks and verifications to properly detect incorrect firmware and at least raise an alarm if that is the case.

 

[theonek]

thank god that this is not so common interface like usb and it's not present in 99% of pc's...

 

[Darmok N Jalad]

Apple.

What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.

 

[TheoneandonlyMrK]

Is this going to transfer to usb4

 

[londiste]

Is this going to transfer to usb4

USB 4 is based on Thunderbolt 3. Is this interface affected as well?
On September 3, 2019, USB-IF announced the final specification of USB 4. Among its key features is support for Thunderbolt-based signaling. While USB 4 controllers and peripherals have not yet become readily available, we would encourage users to exercise caution until such hardware has been unequivocally found to address all Thunderspy vulnerabilities.

 

[Imouto]

What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.

Apple seems to be doing its thing too: https://9to5mac.com/2020/05/11/thunderbolt-security-flaws/

MacOS employs (i) an Apple-curated whitelist in place of Security Levels, and (ii) IOMMU virtualization when hardware and driver support is available. Vulnerabilities 2–3 enable bypassing the first protection measure, and fully compromising authenticity of Thunderbolt device metadata in MacOS “System Information”. However, the second protection measure remains functioning and hence prevents any further impact on victim system security via DMA. The system becomes vulnerable to attacks similar to BadUSB. Therefore, MacOS is partially affected.

 

[TheLostSwede]

Look at this way, there's now a way to get access to your computer if you forgot the password...

What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.

MacOS is BSD based which is sort of based on Unix, so who knows.

If the procedure requires disassembly of the laptop to access and reprogram a chip, the question of external PCIe is rather moot, no? Disassembling the laptop would give access to any m.2 ports, WiFi ports, etc, so getting access to PCIe that way really isn't difficult.

Sure, but this seems like it might be a way to get around encrypted drives, if nothing else.

 

[Patriot]

so it requires extended physical access to the machine as well as removing the cases access panel to execute

slow news day eh ?

in other news people that have physical access to your computer can steal your data

article title is blately misleading its not 5 minutes try more like 15 minutes to get all the hardware setup probably closer to 20 if you need be fiddling with your hardware probe to get a solid connection anybody thats ever used these SOIC clips knows they are pain in the ass and depending on the board and the bios chip style you may not even have access

btw I can bypass the windows login screen by booting the pc from the windows setup disk and renaming a file witch btw requires no hardware mods no special software and in reality probably about 5 minutes


can we stop with the fear mongering please holy fuck its so easy to make the uneducated whip them selves into a panic

It sounds like it was requiring access to the thunderbolt cable or external thunderbolt device not the host... I have used the clips, it's not that hard, and pretty sure all thunderbolt cable chips are the same.
I will read more about this... if it truly does require host access and cable access, you will have quicker luck with the pcie vulnerabilities themselves as it has no security ....

It sounds like it was requiring access to the thunderbolt cable or external thunderbolt device not the host... I have used the clips, it's not that hard, and pretty sure all thunderbolt cable chips are the same.
I will read more about this... if it truly does require host access and cable access, you will have quicker luck with the pcie vulnerabilities themselves as it has no security ....

Thunderspy enables creating arbitrary Thunderbolt device identities and cloning user-authorized Thunderbolt devices, even in the presence of Security Levels pre-boot protection and cryptographic device authentication.

While the permanent disablement of security requires host disassembly and modification the other attack vectors do not. AKA, plug device into locked system and gain access. Universal key. Physical access is usually considered a moot point because it allows for removal of system and time constraints on attack vectors. However gaining network access through a locked system is a big deal, as it can be a supply chain attack or even a parkinglot attack, though I suspect people would be less likey to pick up a thunderbolt cable that has been tampered with than a usb key. That said, people are dumb.

 

[exodusprime1337]

so it requires extended physical access to the machine as well as removing the cases access panel to execute

slow news day eh ?

in other news people that have physical access to your computer can steal your data

article title is blately misleading its not 5 minutes try more like 15 minutes to get all the hardware setup probably closer to 20 if you need be fiddling with your hardware probe to get a solid connection anybody thats ever used these SOIC clips knows they are pain in the ass and depending on the board and the bios chip style you may not even have access

btw I can bypass the windows login screen by booting the pc from the windows setup disk and renaming a file witch btw requires no hardware mods no special software and in reality probably about 5 minutes


can we stop with the fear mongering please holy fuck its so easy to make the uneducated whip them selves into a panic

I don't think you're taking into account the utility of this attack against a corporation and the more and more laptops they give out. When a laptop goes home most decent orgs provide full disk encryption but far fewer offer pre boot authentication such as a pin or pre-boot passcode. This means if a developers laptop was stolen from their car or home and was able to be booted to a desktop, the work of encryption could theoretically be bypassed giving an attacker full access to the files on your machine. Worse even if the developer has pre-boot auth, but simply put his machine to sleep and didn't shut it down.

You clearly lack a good understanding regarding the usefulness of these attacks. There are many many companies that go to great lengths with disk encryption and account lockout policies and in many regards this is a relatively inexpensive way to bypass most of those protective layers.

Is it unlikely? Sure you need physical access. But this not only opens up threats to third parties whom gain physical access but more importantly the growing number of insider threats that pop up year over year. Someone's "stolen" laptop could be from someone in their very company with regular access to the machine or knowledge of that employees whereabouts. This isn't fear mongering, this is a security orgs nightmare. A breach point with little or no hope of ever fixing. Many orgs will most likely move disk encryption to pre-boot authentication, but that comes with a cost to the end user experience and could have major functionality concerns for items like kiosks and publicly accessible endpoints. Thunderbolt is just broken.

 

[timta2]

What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.

Other articles have stated that macOS is not vulnerable to this.

 

[R-T-B]

Using an SPI (Serial Peripheral Interface) programmer with a SOP8 clip that connects the pins of the programmer device to the controller,

So not only do you need physical access, you actually need to open and attach a hardware programmer to the PC?

I'll take academic exploits for $200, Alex.

When a laptop goes home most decent orgs provide full disk encryption but far fewer offer pre boot authentication such as a pin or pre-boot passcode. This means if a developers laptop was stolen from their car or home and was able to be booted to a desktop, the work of encryption could theoretically be bypassed giving an attacker full access to the files on your machine. Worse even if the developer has pre-boot auth, but simply put his machine to sleep and didn't shut it down.

No one should be using FDE with only TPM or just autoboot as an auth method. If you are, I can bypass that login screen through several means, not just this. It's pretty darn trivial.

 

[OneMoar]

this is how you properly write this article

Thunderspy: What it is, why it’s not scary, and what to do about it

Evil maids can use the Thunderbolt port to access your computer; many restrictions apply.

arstechnica.com

I don't think you're taking into account the utility of this attack against a corporation and the more and more laptops they give out. When a laptop goes home most decent orgs provide full disk encryption but far fewer offer pre boot authentication such as a pin or pre-boot passcode. This means if a developers laptop was stolen from their car or home and was able to be booted to a desktop, the work of encryption could theoretically be bypassed giving an attacker full access to the files on your machine. Worse even if the developer has pre-boot auth, but simply put his machine to sleep and didn't shut it down.

You clearly lack a good understanding regarding the usefulness of these attacks. There are many many companies that go to great lengths with disk encryption and account lockout policies and in many regards this is a relatively inexpensive way to bypass most of those protective layers.

Is it unlikely? Sure you need physical access. But this not only opens up threats to third parties whom gain physical access but more importantly the growing number of insider threats that pop up year over year. Someone's "stolen" laptop could be from someone in their very company with regular access to the machine or knowledge of that employees whereabouts. This isn't fear mongering, this is a security orgs nightmare. A breach point with little or no hope of ever fixing. Many orgs will most likely move disk encryption to pre-boot authentication, but that comes with a cost to the end user experience and could have major functionality concerns for items like kiosks and publicly accessible endpoints. Thunderbolt is just broken.

you clearly don't have ANY understanding of OpSec

physical access for any length of time = game over you loose thats it you are done

if you have critical data stored locally and are NOT already using pre-boot authentication with full disk encryption you are an idiot and should have your hands cut off

you two options either don't give the machine access to critical data, or lock it down there is no middle ground between security and usability in this case

and most organisations don't even bother with disk encryption so again moot point if the data is stored locally


go away

 

[remixedcat]

It sounds like it was requiring access to the thunderbolt cable or external thunderbolt device not the host... I have used the clips, it's not that hard, and pretty sure all thunderbolt cable chips are the same.
I will read more about this... if it truly does require host access and cable access, you will have quicker luck with the pcie vulnerabilities themselves as it has no security ....



Thunderspy enables creating arbitrary Thunderbolt device identities and cloning user-authorized Thunderbolt devices, even in the presence of Security Levels pre-boot protection and cryptographic device authentication.

While the permanent disablement of security requires host disassembly and modification the other attack vectors do not. AKA, plug device into locked system and gain access. Universal key. Physical access is usually considered a moot point because it allows for removal of system and time constraints on attack vectors. However gaining network access through a locked system is a big deal, as it can be a supply chain attack or even a parkinglot attack, though I suspect people would be less likey to pick up a thunderbolt cable that has been tampered with than a usb key. That said, people are dumb.

Lots of knockoff wlan adapters and shityy ones ppl buy off wish.