A slew of seven vulnerabilities identified in the Thunderbolt
port allow an attacker with physical access to the device to bypass all
security, no matter the platform. It affects all laptops and computers built
since 2011.
The vulnerabilities, known collectively as ThunderSpy, were
identified by security researcher Björn Ruytenberg, an MSc student in Computer
Science and Engineering.
These are not your average hardware vulnerabilities, as
they require considerable knowledge and some additional hardware. But once an
attacker has all the software and hardware tools, any computer that features
the Thunderbird port and was built in the past nine years can be compromised,
even if it runs Windows, Linux, or MacOS.
“Thunderspy is stealth, meaning that you cannot find any
traces of the attack,” says the researcher. “It does not require your
involvement, i.e., there is no phishing link or malicious piece of hardware
that the attacker tricks you into using.”
“Thunderspy works even if you follow best security
practices by locking or suspending your computer when leaving briefly, and if
your system administrator has set up the device with Secure Boot, strong BIOS
and operating system account passwords, and enabled full disk encryption. All
the attacker needs is 5 minutes alone with the computer, a screwdriver, and
some easily portable hardware.”
This attack is not only theoretically possible —
Ruytenberg developed nine scenarios in which bad actors could exploit these
vulnerabilities. There’s even a short video underlying how the security of a
Windows system is bypassed.
Both Intel and Apple (Thunderbolt developer) were
informed of the vulnerabilities. Intel said it was already aware of some of
them, and Apple chose to do nothing about it because macOS was only partially
vulnerable.
Intel notified a number of affected partners, and Apple
simply said: “Some of the hardware security features you outlined are only
available when users run macOS. If users are concerned about any of the issues
in your paper, we recommend that they use macOS.”
The researcher also released a tool that tells people if
their hardware is affected by the vulnerability, and made it available on his
website.