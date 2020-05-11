The Thunderbolt USB ports (recognizable by being usually marked with a lightning symbol), manufactured by Intel and that can be found in equipment assembled by a multitude of manufacturers suffer from a vulnerability that facilitates data theft even if it is encrypted and the computer is locked or suspended, as revealed by Bjorn Ruytenberg, researcher at the University of Eindhoven.

This new method of attack, baptized with the name of Thunderspy, allows someone with physical access to a Thunderbolt-enabled PC, equipped with Windows or Linux, and that hit the market between 2011 and 2020, to gain full access to the team’s data by skipping the login screen.

Fortunately, since 2019 some manufacturers integrate Kernel Direct Memory Access Protection, which partially protects them. However, other manufacturers such as HP and Lenovo subsequently released several computers lacking such protection.

Where is the problem

Talk about “attack of the evil maiden” in reference to that carried out by physically manipulating a device in the absence of its legitimate owner.

According to Ruytenberg, in this case

“All the ‘evil maiden’ has to do is unscrew the back plate, briefly connect a device, take the opportunity to reprogram the firmware, reconnect the back plate, and voila: the evil maiden can have full access to the equipment [en menos de minutos]”

Partly, the basis of this problem lies in the Thunderbolt design itself: Its strong point, a higher speed of data transfer to external devices, is in turn based on a weak point, by allowing more direct access to the computer’s memory, which opens the door to vulnerabilities.

Weeks ago, Microsoft explained that one of the reasons the Surface Book 3 did not include Thunderbolt 3 was for security: Between February and March Intel had confirmed up to 6 new vulnerabilities in Thunderbolt 3 connections, and all of them (deficiencies of the SPI flash interface, use of unauthenticated metadata, use of unauthenticated driver configurations, etc.) are exploited by Thunderspy.

How to prevent and detect danger

Ruytenberg will present the details of his research early next fall, during the Black Hat cybersecurity event. But for now, let us know that we lack a simple software-based solution: we only have the option to disable the Thunderbolt port.

As a minor evil, the researcher recommends that we avoid “leaving the PC unattended while it is on, even if it is locked”: if you cannot turn it off, it is better to hibernate it than to suspend itor.

The software offers us, however, if not a vaccine, a detection method for ‘asymptomatic’: to discover if our PC is vulnerable to Thunderspy, researchers have created an open source software called Spycheck, available for Windows and Linux systems.

