A slew of seven vulnerabilities identified in the Thunderbolt port allow an attacker with physical access to the device to bypass all security, no matter the platform. It affects all laptops and computers built since 2011.
The vulnerabilities, known collectively as ThunderSpy, were identified by security researcher Björn Ruytenberg, an MSc student in Computer Science and Engineering.
These are not your average hardware vulnerabilities, as they require considerable knowledge and some additional hardware. But once an attacker has all the software and hardware tools, any computer that features the Thunderbird port and was built in the past nine years can be compromised, even if it runs Windows, Linux, or MacOS.
“Thunderspy is stealth, meaning that you cannot find any traces of the attack,” says the researcher. “It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using.”
“Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.”
This attack is not only theoretically possible — Ruytenberg developed nine scenarios in which bad actors could exploit these vulnerabilities. There’s even a short video underlying how the security of a Windows system is bypassed.
Both Intel and Apple (Thunderbolt developer) were informed of the vulnerabilities. Intel said it was already aware of some of them, and Apple chose to do nothing about it because macOS was only partially vulnerable.
Intel notified a number of affected partners, and Apple simply said: “Some of the hardware security features you outlined are only available when users run macOS. If users are concerned about any of the issues in your paper, we recommend that they use macOS.”
The researcher also released a tool that tells people if their hardware is affected by the vulnerability, and made it available on his website.