Thunderbolt ports on PC – and to a lesser extent on Mac – can theoretically be used as an attack vehicle by cybercriminals to read data stored in RAM or access data even when the target machine is locked.
The set of vulnerabilities in question called "Thunderspy", was identified by the researcher by researcher Bjrn Ruytenberg of Eindhoven University of Technology. physical access to the machine is required for hacking but it only takes a few minutes and no traces are left. The machine can also be in standby and locked on the login screen.
The hacker who wants to access memory and other data must connect some accessories to the Thunderbolt port (cost around $ 400), using which he can "clone" Thunderbolt devices, identified as authorized by the system.
Ruytenberg demonstrates a video of the equipment and the system used in combination with a SPI Programmer that is easily found on the market, explaining that just unscrew the bottom cover of a notebook, connect a device temporarily, reprogram the firmware and reassemble it to get full access to the computer . A procedure that can be completed in less than five minutes.
Researcher illustrator Thunderspy in detail in conjunction with the Black Hat conference scheduled for the beginning of August. Lattacco allows to obtain data also contained in PC if protected by cryptography systems or to which it is normally impossible to access due to the login screen.
A year ago Intel developed a protection system called Kernel Direct Memory Access which prevents the exploitation of some of the vulnerabilities used by Thunderspy. The BIOS problem of older machines; newer patches are already present also against this vulnerability.
HP has told Wired that its PCs with Thunderbolt ports all integrate security mechanisms for DMA technology (Direct Memory Access) and managing what the port can read and write directly into the computer's RAM without having to involve the operating system.
At the operating system level, specific protection is provided in macOS 10.12.4 and following, Windows 10 1803 RS4 and in the Linux 5.x kernel. Macs, in particular, are generally more protected and only 2 out of 7 flaws are theoretically usable to complete attacks of this type: it is possible to "deceive" the system by connecting Thunderbolt devices that are not actually those with which the system believes to have to do but cannot access the contents of RAM.
A few days ago Microsoft had stated that it had not yet used the Thunderbolt 3 port on devices such as the Surface for security reasons. Among the protection measures provided by Apple in more recent computers, there are also additional ichip T1 or T2, which deal with the encryption of the disk.
All Macitynet security articles are available from this page.