ThunderSpy: Thunderbolt 3 vulnerabilities

[German]Security researchers have just disclosed vulnerabilites in the Thunderbolt 3 connector that can be used to spy on devices. They provided tools to check Linux and Windows system for these vulnerabilities.


I became aware about the existing vulnerabilities reading the following tweet. On the website, Björn Ruytenberg reports on vulnerabilities he found in the Thunderbolt 3 connection.

The security researchers from his team have discovered 7 vulnerabilities in Intel's design that compromise the security of devices with Thunderbolt connections. The researchers have found 9 realistic scenarios that could be exploited to gain access to a system, whether or not it has defenses that Intel has put in place to protect the Thunderbolt interface.

Proof of Concept

The security researchers have developed a free and open source tool, Spycheck. This tool can be used to determine whether a system is vulnerable. If a system is found to be vulnerable, Spycheck provides recommendations on how to protect the system. The video below demonstrates the attack.

(Quelle: YouTube)


Access to all data

Thunderspy targets devices with a Thunderbolt connection. If a computer has such a port, an attacker who gains temporary physical access to it can read and copy any data on that system, even if the drives on the system are encrypted and the computer is locked or hibernated.

Thunderspy is stealth, which means that users will not find traces of the attack later. It also does not require user involvement to perform the attack. This means that no phishing links or malicious hardware is required to execute the attack. Access to the system is sufficient. Even a locked or hibernated system, including secure boot and strong BIOS and operating system account passwords, as well as full hard disk encryption, does not provide protection against data theft. All the attacker needs, according to the security researchers, is 5 minutes alone with the computer, a screwdriver and a little hardware.

Details and countermeasures

Ruythenberg discloses further information on these vulnerabilities on this website. The vulnerabilities affects Thunderbolt connections that were delivered by various manufacturers (including Apple) between 2011 and 2020. The website also contains test tools for Linux and Windows to check whether these systems are affected by the vulnerabilities.

Those who are affected can only protect themselves against the device being under their own control at all times, always shutting down completely (so that the protection via Secure Boot with passwords works) and, if necessary, deactivating the Thunderbolt controller. This can be seen from the information published on the website. Even the kernel DMA protection integrated in Windows 10 often does not help, because according to this Wired article, the modifications in UEFI are not implemented in most systems.

Intel is slow to respond

He informed Intel about five vulnerabilities already on 10 March 2020. Later a sixth vulnerability was reported to Intel, Intel confirmed on 17 March that it was a vulnerability.

In the first e-mail, Ruythenberg asked Intel to immediately notify the parties concerned in consultation with him. However, Intel did not take action and, after several e-mails, only listed 5 parties that would inform them. The security researcher followed up and then sent Intel a list of other parties he had identified as affected. These included 11 OEMs/ODMs and the Linux kernel security team. Finally, Intel announced that on 25 March they had informed some parties of the vulnerabilities and the upcoming disclosure. Intel did not disclose details of what information was released to whom. Some manufacturers had apparently still not been informed by Intel. Finally, the security researcher informed Apple about the seventh vulnerability on April 17.

Cookies helps to fund this blog: Cookie settings

This entry was posted in computer, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *