- Joined
- Aug 19, 2017
- Messages
- 2,671 (0.99/day)
Dutch researcher from the Eindhoven University of Technology has found a new vulnerability in Thunderbolt port that allows attackers with physical access to unlock any PC running Windows or Linux kernel-based OS in less than 5 minutes. The researcher of the university called Björn Ruytenberg found a method which he calls Thunderspy, which can bypass the login screen of any PC. This attack requires physical access to the device, which is, of course, dangerous on its own if left with a person of knowledge. The Thunderbolt port is a fast protocol, and part of the reason why it is so fast is that it partially allows direct access to computer memory. And anything that can access memory directly is a potential vulnerability.
The Thunderspy attack relies on just that. There is a feature built into the Thunderbolt firmware called "Security Level", which disallows access to untrusted devices or even turns off Thunderbolt port altogether. This feature would make the port be a simple USB or display output. However, the researcher has found a way to alter the firmware setting of Thunderbolt control chip in a way so it allows any device to access the PC. This procedure is done without any trace and OS can not detect that there was a change. From there, the magic happens. Using an SPI (Serial Peripheral Interface) programmer with a SOP8 clip that connects the pins of the programmer device to the controller, the attacker just runs a script from there. This procedure requires around $400 worth of hardware. Intel already put some protection last year for the Thunderbolt port called Kernel Direct Memory Access Protection, but that feature isn't implemented on PCs manufactured before 2019. And even starting from 2019, not all PC manufacturers implement the feature, so there is a wide group of devices vulnerable to this unfixable attack.
You can check out the video demonstration below:
View at TechPowerUp Main Site
The Thunderspy attack relies on just that. There is a feature built into the Thunderbolt firmware called "Security Level", which disallows access to untrusted devices or even turns off Thunderbolt port altogether. This feature would make the port be a simple USB or display output. However, the researcher has found a way to alter the firmware setting of Thunderbolt control chip in a way so it allows any device to access the PC. This procedure is done without any trace and OS can not detect that there was a change. From there, the magic happens. Using an SPI (Serial Peripheral Interface) programmer with a SOP8 clip that connects the pins of the programmer device to the controller, the attacker just runs a script from there. This procedure requires around $400 worth of hardware. Intel already put some protection last year for the Thunderbolt port called Kernel Direct Memory Access Protection, but that feature isn't implemented on PCs manufactured before 2019. And even starting from 2019, not all PC manufacturers implement the feature, so there is a wide group of devices vulnerable to this unfixable attack.
You can check out the video demonstration below:
View at TechPowerUp Main Site