The Thunderspy attack affects millions of PCs released before 2019.
A specialist at Eindhoven University of Technology in the Netherlands has demonstrated a new attack method on Windows or Linux computers with support for the Thunderbolt port, which allows hacking devices in less than five minutes.
With the help of a new technique called Thunderspy, it is possible to bypass the authorization screen (and even hard disk encryption) on computers that are locked or in sleep mode, change security settings and access data on the device. Although in most cases it will be necessary to open the PC case to exploit the vulnerability, the attack leaves no traces and takes only a few minutes, explained the author of the method, Björn Ruytenberg.
The new method refers to the type of attacks known as “evil maid” (“evil maid”), in which an attacker who has physical access to a PC can bypass local authentication. According to Ruytenberg, the only way to defend against a Thunderspy attack is to disable the Thunderbolt port.
Following the release of a report on a Thunderclap attack that steals information directly from the OS’s memory using peripherals, Intel introduced the Kernel DMA Protection security mechanism, which blocks connected Thunderbolt 3 devices and prevents them from accessing Direct Memory Access until they are a specific set of procedures has been completed.
This feature prevents a Thunderspy attack, but the problem is that this mechanism is not available on PCs released before 2019, the researcher explains. Moreover, many Thunderbolt peripherals manufactured before 2019 do not support this technology.
Specialists examined several models of Dell, HP, and Lenovo PCs and found that the Dell PC does not have the Kernel DMA Protection feature (including devices released after 2019), while in the case of HP and Lenovo only a few models use the technology. The vulnerability does not affect computers based on Apple macOS.
According to HP, “most HP commercial PC mobile workstations that support Sure Start Gen5 and higher” have Thunderspy attack protection. Lenovo said they were studying the situation.
Thunderbolt is a peripheral connectivity technology developed by Intel in conjunction with Apple that enables the transfer of data, video, audio, and electricity through a single port.
HP Sure Start is technology developed by HP (Hewlett-Packard) to protect the computer’s BIOS. It is responsible for BIOS security and includes the Dynamic Protection function, which checks the BIOS not only when the device status changes, but also during the day at regular intervals.