All you need to know about preventing adversaries from exploiting the recently disclosed vulnerabilities in the Thunderbolt interface
In May 2020, Björn Ruytenberg, a computer security researcher at the Eindhoven University of Technology in the Netherlands, announced the discovery of Thunderspy, a series of vulnerabilities in the Thunderbolt technology and interrelated scenarios for changing – including disabling – the security level of the Thunderbolt interface on a computer and allowing an adversary with physical access to it to copy data off of it, even if full disk encryption (FDE) is used and the machine is locked with a password or sleeping in low-power mode.
While Ruytenberg’s research has (quite deservedly) received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim. In this article, we will explore practical methods to defend against it, as well as anti-tamper steps that can help ascertain if a computer has been physically compromised.
Note: Attacks such as those described by Ruytenberg are both highly-targeted and very rare compared to the types of attacks reported by ESET’s telemetry on a daily basis, and can sound like something out of a spy novel. Although this may represent a realistic threat to, say, 0.001% of computer users with over 100 million people trusting our software on a daily basis, that is still over 1,000 potential victims. For those people, following some of the admittedly draconian recommendations in this article can help reduce that risk. Regardless of your risk level, we hope you will find this information to be of use.
Figure 1. Two Thunderbolt 3 ports on a MacBook Pro
Thunderbolt is an interface for allowing high-speed connections between computers and peripherals such as external RAID arrays, cameras, high-resolution displays, multi-gigabit network connections, and expansion docks and cages for external video cards. Originally developed by Intel and Apple, it first appeared in the 2011 release of Apple’s MacBook Pro notebook computers. It was followed by Thunderbolt 2 in 2013, and Thunderbolt 3 in 2016.
Table 1. List of Thunderbolt releases
The technology that enables these types of high-speed connections between computers and peripherals is Direct Memory Access (DMA). Simply put, DMA allows peripherals to read and write directly to any location in a computer’s memory, bypassing CPU management overhead and delays while the CPU processes other interrupts and I/O requests, greatly speeding up the transfer of data. In this case, DMA is something of a two-edged sword: If the interface channel using DMA is not secured, there is the possibility for memory to be read from or written to in ways that impact the confidentiality, integrity or availability of information stored in it.
Understand that this does not mean that Thunderbolt technology, or utilizing DMA for transfers, is inherently insecure, but rather that the risks involved need to be carefully examined and modeled in order to defend against possible attacks. The use of DMA in PCs dates back to the design of the original IBM PC released in 1981 and may have been present in earlier computer designs as well. PCs have had several DMA interfaces over the years, from expansion cards like ISA, EISA, PCI, PCIe and VLB, floppy diskette and hard disk drive controllers, CardBus and ExpressCard on notebook computers, and so forth. DMA is a robust technique and one that can be implemented with security checks and balances.
If any of this sounds vaguely familiar, you may recall a WeLiveSecurity article from 2011, Where there’s Smoke, there’s FireWire, discussing DMA abuse using FireWire (IEEE-1394) interfaces in both PCs and Macs. And, it should be noted, there are other kinds of attacks on hardware as well, such as 2015’s Thunderstrike, which targeted the EFI ROM in Macs, and 2018’s Meltdown and Spectre speculative execution vulnerabilities in CPUs.
For an introduction to Thunderspy attacks, read the Thunderbolt flaws open millions of PCs to physical hacking on WeLiveSecurity. If you have not read that article, I strongly encourage you to read it before proceeding. With that proviso in mind, let’s look at the threat model for Thunderspy, what are realistic targets for an attacker, and perhaps most importantly, realistic defenses against those.
Ruytenberg provides two proofs of concept (sample code) for Thunderspy that accomplish two different tasks:
The first cloning attack is like thieves who steal a key to a lock and then copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of “bricking” a chip. In this case, disabling Thunderbolt’s security levels and then write-protecting the changes made so they cannot be undone.
Cloning requires plugging custom Thunderbolt hardware into the target computer and/or disassembling the target computer in order to attach an SPI programmer to the Thunderbolt chip’s SPI flash ROM chip cabled to an SOIC clip adapter. Bricking the chip requires use of the SPI programmer and cable clip adapter, too.
Additional attack scenarios require running software and/or obtaining information about firmware versions on the target computer.
In case it is not clear from the description above, these types of attacks are not done simply, since actual in-person access to the computer is required, along with the tools to disassemble the physical computer, attach the logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. All without the computer owner noticing this has occurred (and, of course, not accidentally damaging the computer in the process).
Because of the time and complexity of this type of activity, it is known as an “evil maid attack,” a type of attack first described by computer security researcher Joanna Rutkowska. As envisioned, it implies the attacker entering a hotel room while the victim is not present and using a USB implant to exploit the computer. While such attacks may seem more like science fiction than science fact, physical wiretaps requiring an on-site visit were a common investigative technique before telephone networks changed from circuit-switched to packet-switched networks that could be tapped on the backbone, so there is historical precedent going back decades.
So, with an understanding of the background and how attacks are performed: who exactly could be the victims of Thunderspy-based attacks? Some of these would be high-value targets, who are pursued by nation-state intelligence or law enforcement agencies, either through their own tooling or that purchased from defense contractors or other members of the “lawful interception” ecosystem, but that may not always be the case. The motive might be a commercial one, such as industrial espionage.
Figure 2. Laptop dock with a Thunderbolt 3 port
In the past, high-value targets have included such disparate groups as aerospace, energy, journalism, military, and political sectors, all victimized by highly determined adversaries. Attacks can target any market sector and occupation, though, and not only company executives: engineers, administrative personnel and even frontline employees may be targets of opportunity. While those may seem like very unrelated groups of industries and people, they have all been targeted by highly determined adversaries, and are often the first to be exposed to advanced persistent threats, zero-day attacks and so forth. ESET researchers have described several of these attacks here on WeLiveSecurity.
But not all targets may be globe-trotting executives who leave their laptops in their hotel rooms when they go out for dinner. An unsecured computer anywhere on a company’s network may be a point of ingress for an attacker. Consider the following scenarios:
In some instances, it may be possible to come up with a pretext to get a receptionist or cashier to leave a computer unattended for enough time to plug in a device, although additional work may need to be done in multiple stages, requiring the adversary’s personnel to make more than one visit in order to identify computers, routes and best times to perform the attack and obtain any additional information from the target site needed for successful execution. In other cases, such as that of e-voting machines, one would normally expect to be left uninterrupted and unattended while using the device to vote.
A special case is journalists, as well as employees of NGOs and businesses, who may travel into areas with authoritarian regimes or countries known for commercial espionage. These people may not be able to deny a request by the government to hand over their equipment for a security check. In case you have employees in this situation (or are in that situation yourself), you should only travel with equipment that is “burnable”: it should contain only the minimum amount of information needed for that specific trip. As soon as you return, any devices should be considered completely compromised and not be used again. Also, any accounts used from the devices should have their passwords changed immediately upon return, and two-factor authentication reset and re-authorized.
To defend against hardware attacks requiring physical access to the system, you first need to determine the threat model that applies. In each of the examples given above, the level of exposure and opportunity to an attacker is going to vary greatly. It is also important to decide whether the goal of the defender is to protect against an attack or make evident that a physical attack occurred.
With those in mind, let us look at how one could defend against each of the above scenarios:
Figure 3. Thunderbolt 3 cable connected to a laptop
Additionally, the physical security of a stationary computer can be augmented by physical security systems in the office using cameras, motion sensors, alarms and other features. It may not be possible to take these types of steps in all scenarios – especially in high-traffic areas, or if computers need to be periodically moved, and so forth. It is still possible to come up with methods to increase the amount of time it takes for an adversary to gain physical access to a computer’s internals, or to make the tampering more apparent:
NOTE: Links given in the bullet points above are for representative purposes only, and not a recommendation by ESET for a specific brand, company or service.
Methods such as these may also be cost-prohibitive depending upon the number of computers the defender has to protect, and the budget. If you cannot deter the adversaries or increase the amount of effort it takes for them to perform a physical attack, you may at least be able to make a physical attack more readily identifiable through tamper detection mechanisms:
Aside from physical anti-tamper mechanisms, look into steps you can take to make the computer’s firmware and software more secure.
Figure 4. Message announcing a firmware update for a computer’s Thunderbolt controller
Here are a few general steps to start with:
It may not be possible to stop truly determined adversaries, particularly if you are an individual or small organization and they have the resources of a large corporation or even a nation-state. But what you can do is make it harder for their attacks to succeed, and possibly inform you that an attack was attempted.
Attacks such as Thunderspy are the province of sophisticated and determined adversaries, and most people will never be exposed to such a threat in their lifetimes.
If you are one of the unlucky few who might be targeted, defending against such attacks means not just taking the practical approaches outlined above, but understanding why the adversary has targeted you in the first place, and what you may be able to determine about them from previous attacks they have performed.
Trying to understand the threat posed by that adversary is the first step to defending against them. In order to start answering that, start by determining what their goal is. A determined adversary may, for example, target a freelance journalist and an election voting system. The underlying reason for those attacks may be the same, and they may or may not involve using similar or shared resources. However, the mechanics of deploying the attack may be very different.
The capabilities and resources of the defender can vary greatly, as well. To look at the examples above, an individual is going to have significantly fewer capabilities than a government agency if both are being targeted. Thus, their abilities to protect their computing devices are likely going to not just vary, but vary dramatically.
The attacks discussed in Ruytenberg’s Thunderspy research are for Thunderbolt 3 and earlier, but it is important to note that it may be too late in the design cycle of Thunderbolt 4 (and USB 4.0, which is derived from Thunderbolt 3) for manufacturers to completely implement protections against Ruytenberg’s attacks. The Thunderspy attacks may not be completely mitigated in Thunderbolt 4 until that technology is refreshed and in its second generation. This does not necessarily mean that you should skip the initial first generation of Thunderbolt 4 technology because it might be insecure; it should, in fact, be more secure than current versions of Thunderbolt 3. It does, however, mean that you should already be planning ahead to replace those devices if and when a more secure version of Thunderbolt 4 (or its successor) arrives.
Special thanks to my colleagues Tony Anscombe, Microslav Babiš, Petr Blažek, Jean-Ian Boutin, Bruce P. Burrell and Kim Schulz, Nick FitzGerald, Matej Lupták, Tomáš Materna, Kirk Parker, and Tomáš Štefunko for their help with this article.