Attack Against PC Thunderbolt Port

The attack requires physical access to the computer, but it's pretty devastating:

On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer -- and even its hard disk encryption -- to gain full access to the computer's data. And while his attack in many cases requires opening a target laptop's case with a screwdriver, it leaves no trace of intrusion and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an "evil maid attack," the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there's no easy software fix, only disabling the Thunderbolt port altogether.

"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg, who plans to present his Thunderspy research at the Black Hat security conference this summer­or the virtual conference that may replace it. "All of this can be done in under five minutes."

Lots of details in the article above, and in the attack website. (We know it's a modern hack, because it comes with its own website and logo.)

Intel responds.

EDITED TO ADD (5/14): More.

Posted on May 12, 2020 at 6:09 AM • 19 Comments

Comments

Jason SullivanMay 12, 2020 7:07 AM

Idly wondering how many folks are going to be combating this particular avenue of attack with a few pennies worth of epoxy covering the flash chip. I know some sysadmins did this for entire USB ports back in the 90's/00's. In this case you wouldn't even reduce the functionality.

Who?May 12, 2020 7:50 AM

@ Jason Sullivan

Good advice. Device manufacturers should cryptographically sign all firmware running on their devices too, not only the BIOS. TPM should perform integrity measurements on all firmware too. This vulnerability would have been not so bad if countermeasures were in place years ago.

QMay 12, 2020 8:02 AM

The standard advice of never giving someone else access to your hardware is still valid.

For border crossings this could be a problem. Five minutes in a backroom and now your system is owned by the spooks. Perhaps the answer here is to have your own reprogramming kit and set it back to normal after the spooks have had their way with it. But you had better be sure they haven't made other changes in addition to this one.

TPM is only there to lock you out from your own systems and prevent you from running your own OS. So TPM isn't the answer here.

IanMay 12, 2020 8:35 AM

Rather poor response from Intel. They seem to gloss over the fact that even KDMA doesn't stop all of these attacks. And that most people would need to buy a new system to get KDMA.....

CigaesMay 12, 2020 9:09 AM

So it is just the Firewire DMA attack again? Did Intel learn nothing in the last fifteen years?

Clive RobinsonMay 12, 2020 9:37 AM

@ All,

DMA attacks via I/O devices is not exactly a new thing...

I remember it being talked about back in the early 1980's when designing Z80 based SBC rack mount boards (what we might call blades) that could be connected together via a DMS controller and high speed bus for graphics systems...

So it's a well known problem for which Intel has no excuse what so ever. But it gets worse, from the Wired article,

    Karsten Nohl, a well-known hardware security researcher and founder of SR Labs ... was surprised to see how easily Intel's "security levels" can be bypassed. "If you're adding an authentication scheme against hardware attacks and then you implement it in unsecured hardware … that’s the wrong way to tackle a hardware security problem," says Nohl. "It’s a false sense of protection."

It's a hard point to argue against. But as others might have noted Intel's more recent history on hardware security has been quite lamentable... This suggests that maybe people should think about buying elsewhere if they can.

@ Jason Sullivan,

Idly wondering how many folks are going to be combating this particular avenue of attack with a few pennies worth of epoxy covering the flash chip.

In principle/theory it's a good idea, in practice though it depends on "PCB Track out". The motherboard designer may well have put a programing port or test port that is connected to those pins elsewhere on the PCB.

JakeMay 12, 2020 9:55 AM

Can someone explain how this attack can bypass the encryption on a hard disk? I understand if the computer is in a lock/sleep state you have already decrypted the drive to allow the OS to boot, but how exactly is this bypassing encryption?

NixMay 12, 2020 12:33 PM

Feels like a rather unlikely thing to have to defend against. Just reprogram the firmware, oh yes that's simple. I'm sure this attack will be really widespread compared to almost any other possible physical attack vector. Outright theft, pulling and cloning disks, heck even removing flash RAM chips is probably giong to be easier to do for almost anyone below a state-level actor than this. The only benefit of this is its comparative undetectability if all goes well.

(Compare to FireWire, which has always allowed this sort of direct DMA suckery with no reprogramming of any kind: useful for debugging a hung machine... but it didn't get a cool logo and its own website so apparently it wasn't a problem, even though it is by any reckoning wide open compared to Thunderbolt.)

Clive RobinsonMay 12, 2020 12:46 PM

@ Jake,

Can someone explain how this attack can bypass the encryption on a hard disk?

Technically it's no more bypassing the encrypted hard disk than the computer is.

It's just that with access to Kernel Space Memory it has access to all the computer it's self can see. Thus if the computer has the Encryption keys in memory for either FDE or User/File Based Encryption then an attacker gets access to the keys or to the plaintext of any file in computer memory.

What this attack alowes an attacker to do is gain access to the plaintext beyond the security end point. So in effect it's a form of "end run attack".

Peter A.May 12, 2020 1:29 PM

@Q: Why cross a hostile border with any significant device/data today? Go with some decoy device, sell it at a pawn shop, buy another one at another pawn shop, factory reset it, download your data over the 'net, and you're set. All you need to carry across the border is a key and a checksum. They can be hidden in plain sight if you think it out well, or even memorized.

K. M. PetersonMay 12, 2020 4:49 PM

Is this an obvious question? “Sleeping or locked” means not booted: wouldn’t the workaround for this issue be to ensure it is powered down if not in your possession? Or did I miss something?

nobodyMay 12, 2020 5:00 PM

I wonder if it's possible to defeat this attack by using the iommu to block Thunderbolt interfaces from accessing main memory.

There are sporadic reports that it's possible to pass through a Thunderbolt port to a KVM/QEMU VM, which suggests that it might be possible (at least on some hardware) to confine Thunderbolt DMA to arbitrary memory ranges.

Clive RobinsonMay 12, 2020 11:43 PM

@ K. M. Peterson,

wouldn’t the workaround for this issue be to ensure it is powered down if not in your possession?

Yes and no...

If powered down you would not have encryption keys or sensitive files in memory. But that would not stop an evil made over writing the flash ROM to insecure, so that an easier faster attack can be carried out later.

It would after all then only take a few seconds to attach a quite small RF device whilst you were distracted in a coffee shop or café etc...

You've probably seen some very small "USB WiFi dongles" if I pushed something the same size as one in the back of your laptop whilst you were destracted you probably would not notice it as you carried on working. At the very least it could then add other malware, but also provide a high bandwidth connection for a "RAT on steroids".

This sort of thing is why you need to do both FDE and File level encryption as a minimum to minimize losses. Plus also running software that logs all file creation, reading, updating and deleating (CRUD) etc would help identify anomalous behaviour.

The simple fact is at the end of the day as an individual you can not stop a determined attacker especially if they are at government guard level or above or equivalent corporate level (think of what Kroll and Blackwater / Academi are alledged to do).

All you can do is mitigate against less sophisticated attackers, hence the advice about not taking consumer level equipment with you when traveling across borders etc.

SpaceLifeFormMay 13, 2020 1:38 AM

Black Hat USA 2020 will be entirely virtual this year.

hxxps://www.blackhat.com/us-20/

myliitMay 13, 2020 6:55 AM

Anybody want to discuss Macintosh computers. From:

https://thunderspy.io/#affected-apple-systems

“I have an Apple Mac. Am I affected?

All Apple Macs released from 2011 onward, except for Retina MacBooks, provide Thunderbolt connectivity and are therefore vulnerable to Thunderspy. You may wish to learn more about Thunderbolt-equipped Macs on Apple's website. For more information on Apple's position regarding Thunderspy, please refer to why has Apple not fixed Thunderspy [1]

MacOS

If you are running MacOS, your system is partially affected by Thunderspy. For recommendations on how to help protect your system, please refer to protections against Thunderspy.

Windows and Linux (Boot Camp)

Running Windows or Linux using the Boot Camp utility disables all Thunderbolt security. Therefore, your system is trivially affected by Thunderspy.


[Windows, Linux, MacOS, etc., users afaik that] have an affected system. How can I protect myself?

If you intend to use Thunderbolt connectivity, we strongly recommend to:
Connect only your own Thunderbolt peripherals. Never lend them to anybody.
Avoid leaving your system unattended while powered on, even when screenlocked.
Avoid leaving your Thunderbolt peripherals unattended.
Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).
If you do not intend to use Thunderbolt, we strongly recommend to:
Disable the Thunderbolt controller entirely in UEFI (BIOS). Please note that this renders all Thunderbolt ports inoperable, including USB and DisplayPort connectivity. However, USB-C charging will most likely remain functioning.
Some systems exclusively provide Thunderbolt 3 ports for external connectivity, in which case the latter mitigation may not be practically feasible. For these systems, we recommend following the former recommendations on using Thunderbolt connectivity instead. ...”

[1] from same link: “ Why has Apple not fixed Thunderspy?

In our vulnerability disclosure procedure, Apple has stated the following:

"Some of the hardware security features you outlined are only available when users run macOS. If users are concerned about any of the issues in your paper, we recommend that they use macOS."

To verify whether your system is affected by Thunderspy, please refer to affected Apple Mac systems”

Finally, Misc. Thunderbolt info and cabling stuff from Apple
https://support.apple.com/en-us/HT207443


LouisMay 13, 2020 3:23 PM

"Having physical access" does not necessarily equate to *momentarily* having access, so this may actually seriously affect the threat model of the stolen laptop.

It no longer matters if you've shut down your laptop before leaving the office (vs leaving in sleep move). Also, safe boot and bitlocker with TPM modules won't help either.

A stolen laptop with Thunderbolt may end up being considered a compromised device and the data it stores disclosed.

MarkHMay 15, 2020 2:38 AM

@Ted:

I’m not as bright as most of you

... well actually, maybe brighter than most.

The saying goes that to a man whose only tool is a hammer, every problem looks like a nail.1

It's easy for "high tech" engineers to get lost in the weeds of in-kind countermeasures, and to forget the value of simpler precautions.

Your observation about increasing the required time of physical access is spot-on: depending on circumstances, that might be all that's needed.

There's no such thing as unbreakable security, and anybody who says "x is secure" or "y is insecure" -- without specifying the context -- either doesn't understand security engineering, or has become hypnotized by his own voice.

All we can realistically do in security engineering, is to increase the costs to the attacker (which may include risk of discovery). In some circumstances, tamper-evident tape may be of great security value.

1 A special U.S. version of this, is that to a man whose only tool is a wall, every problem looks like an invasion :(

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.