Serviceteam IT Security News
A new attack method enables bad actors to access data on a locked computer via an evil maid attack within 5 minutes

Millions of computers sporting Intel’s Thunderbolt ports are open to hands-on hacking attempts due to vulnerabilities in the hardware interface, according to research by Björn Ruytenberg, a security researcher at Eindhoven University of Technology in The Netherlands. Dubbed Thunderspy, the attack method affects Thunderbolt-equipped machines manufactured between 2011 and 2020 and is a concern with machines running any of the three major operating systems – Windows, Linux and, to a lesser extent, macOS.

To snatch data from a PC through a so-called evil maid attack, all a bad actor would need is a few minutes, physical access to the device, and some off-the-shelf equipment. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenberg told Wired, adding that the whole process could be managed within five minutes. A total of 7 vulnerabilities were found to affect Thunderbolt versions 1 through 3 and they’re all listed out in detail in the research paper.

The attack method works even if you follow cybersecurity best practices, such as locking your computer when stepping out for a moment and using strong passwords and measures such as full disk encryption. Above all, the attack leaves no traces.

As a proof of concept, Ruytenberg developed a firmware patching toolkit called Thunderbolt Controller Firmware Patcher (tcfp), which allows him to disable Thunderbolt security without accessing the machine’s BIOS or operating system. Since all of this takes place covertly and the changes aren’t reflected in BIOS, the victim remains none the wiser.

Ruytenberg also developed another tool, called SPIblock. Using it in tandem with tfcp, he managed to disable Thunderbolt security for good and block all future firmware updates, all the while remaining undetected.

Thunderbolt security was also in the limelight last year, when a team of researchers was able to uncover a collection of vulnerabilities they named Thunderclap. Fortunately, those could be mitigated by security options, called “Security Levels”, that were already available at the time.

Not so much with Thunderspy, as this attack method circumvents these security settings. On the other hand, what does guard against it is Kernel Direct Memory Access (DMA) protection that was introduced in 2019, as Intel states in its response to the published report.

Ruytenberg concludes that an update won’t be enough to fix the issue: “The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign.”

If you’re worried that your computer may be susceptible to an attack, you can use Spycheck, a tool specifically developed by the researcher to scan for Thunderspy vulnerabilities. To protect yourself, you shouldn’t leave your computer unattended while powered on even if you locked the screen; the same applies to your Thunderbolt peripherals. Ruytenberg also recommends disabling your Thunderbolt ports entirely in BIOS, which would render them inoperable but should keep you safe.

Source: HERE

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!