A Dutch investigator Björn Ruytenberg has listed nine attack situations that work against all computers with Thunderbolt shipped since 2011, which provide a hacker with physical access to swiftly snip data from encoded drives and memory.

In a report published on Sunday, Ruytenberg warned that the attacks work even when users follow security best practice, such as locking an unattended computer, establishing Secure Boot, using robust BIOS and operating system account passwords, and allowing full disk encryption.


The technology is susceptible to this type of attack because the Thunderbolt controller – a PCIe device – has DMA, which can let a hacker access system memory through a connected peripheral.

Ruytenberg, however, says that Thunderspy differs to Thunderbolt, which depended on deceiving users into accepting a malevolent device as a reliable one.

While all Thunderbolt-laden computers are susceptible to Thunderspy, Intel says the attacks were allayed at the operating-system level with Kernel Direct Memory Access (DMA) protection.


Intel says that Ruytenberg hasn’t shown successful DMA attacks on computers with DMA protection.

But Ruytenberg insists that Thunderspy “completely breaks” Intel’s Security Levels because Thunderbolt suffers from insufficient firmware confirmation, weak device verification, use of unauthenticated device metadata, and is susceptible to version downgrade attacks.

Thunderbolt also allows for unverified controller configurations and suffers from SPI flash interface flaws, while Thunderbolt security on Apple’s Boot Camp for running Windows 10 on a Mac is totally missing.

Given the Thunderspy faults, Intel has suggested people only use reliable peripherals and stop unauthorized physical access to computers.

“In an evil-maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks,” Ruytenberg writes.

“In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort.”

Intel hasn’t come up with CVE identifiers for any of the Thunderspy weaknesses and does not plan to issue fixes for systems already available.

“Despite our repeated efforts, the rationale to Intel’s decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown,” said Ruytenberg.

“Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign. Indeed, for future systems implementing Thunderbolt technology, Intel has stated they will incorporate additional hardware protections.”


Leave a Reply

Your email address will not be published. Required fields are marked *