Incredible how you can steal data via Thunderbolt once you've taken the PC apart, attached a flash programmer, rewritten the firmware...

Full mitigation is buy a newer computer – or don't use suspend-to-RAM


It's possible to extract data from a computer via its Thunderbolt port – once you've got the case off, plugged in a flash programmer, and reprogrammed the controller's firmware to grant access.

This technique, dubbed Thunderspy, can be exploited even if the computer is locked or asleep, and can bypass disk encryption, and any BIOS or operating system-level passwords. It was found and documented by Björn Ruytenberg.

It does't matter if you use Windows, Linux, macOS, or whatever: the vulnerability lies at the hardware level, specifically inside Intel's Thunderbolt chipset present in millions of PCs built since 2011, including Apple Macs. And, if exploited just right, you may never know data was exfiltrated from your box as no trace of the theft would be left.

If you bought your computer last year, or more recently, a mechanism called Kernel DMA Protection made be present, which, we're told, partially mitigates Thunderspy. Intel has, according to Ruytenberg, said it will increase the security of its Thunderbolt controllers in future.

Before anyone blows up these findings, let's be frank: this is, for most people, more of a neat trick than infosec Armageddon. A miscreant would need to have physical access to the machine long enough to unscrew the case, attach an SPI flash programmer with an SOP8 clip to rewrite the Thunderbolt port controller's firmware to unlock access, and then attach a device to the interface to copy data via PCIe and DMA through the port, and then, if necessary, flash back the original firmware and fit the computer back together.

It's not good news if you thought disk encryption, sleep states, and passwords would prevent someone from siphoning your data after stealing or seizing your computer for even just a few minutes. It's not bad news if your threat model already assumed physical access was a game-over scenario. It's not something that can be exploited over the internet or network, or by malware running on your PC or Mac.

Below is a video of Thunderspy in practice:

Youtube Video

It's all possible because Intel's Thunderbolt controllers have a concept of security levels, which govern which devices are authorized to access the interface port, and that it is possible to rewrite the chipset firmware to lower the configured level to zero, so that any attached device is trusted. Thus, with security disabled, a miscreant can plug in a Thunderbolt device that copies the contents of memory via DMA and PCIe.

It's also possible, once you're inside the computer, to use Thunderspy to authorize additional Thunderbolt devices that can later be plugged in to extract data, or clone user-authorized devices to copy out information.

"Being PCIe-based, Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O," Ruytenberg said. "In an evil maid DMA attack, where adversaries obtain brief physical access to the victim system, Thunderbolt has been shown to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory."

"All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable," Ruytenberg continued, adding that the flaws can only be completely mitigated by redesigning and replacing the chips involved.

"Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign."

Ruytenberg said he privately tipped off Intel and Apple earlier this year about his findings, and the pair have so far declined to publicly commit to fixing the issue in already-shipped computers.

"Despite our repeated efforts, the rationale to Intel's decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown," he said. "Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections."

Apple argued macOS protects users, though Ruytenberg said the operating system only provides partial protection. To workaround the shortcomings on vulnerable systems, it's recommended you "ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays," and "consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM)."

Intel has yet to respond to a request for comment. ®


Other stories you might like

  • VMware claims 'bare-metal' performance on virtualized GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual updates across CPU, GPU, and DPU lines
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading
  • AWS puts latest homebrew ‘Graviton 3’ Arm CPU in production
    Just one instance type for now, but cheaper than third-gen Xeons or EPYCs

    Amazon Web Services has made its latest homebrew CPU, the Graviton3, available to rent in its Elastic Compute Cloud (EC2) infrastructure-as-a-service offering.

    The cloud colossus launched Graviton3 at its late 2021 re:Invent conference, revealing that the 55-billion-transistor device includes 64 cores, runs at 2.6GHz clock speed, can address DDR5 RAM and 300GB/sec max memory bandwidth, and employs 256-bit Scalable Vector Extensions.

    The chips were offered as a tech preview to select customers. And on Monday, AWS made them available to all comers in a single instance type named C7g.

    Continue reading
  • Beijing reverses ban on tech companies listing offshore
    Announcement comes as Chinese ride-hailing DiDi Chuxing delists from NYSE under pressure

    The Chinese government has announced that it will again allow "platform companies" – Beijing's term for tech giants – to list on overseas stock markets, marking a loosening of restrictions on the sector.

    "Platform companies will be encouraged to list on domestic and overseas markets in accordance with laws and regulations," announced premier Li Keqiang at an executive meeting of China's State Council – a body akin to cabinet in the USA or parliamentary democracies.

    The statement comes a week after vice premier Liu He advocated technology and government cooperation and a digital economy that supports an opening to "the outside world" to around 100 members of the Chinese People's Political Consultative Congress (CPPCC).

    Continue reading

Biting the hand that feeds IT © 1998–2022