THUNDERSPY

In February 2020, researchers from Eindhoven University of Technology reached out to Intel with a report on Thunderbolt™, which they refer to as “Thunderspy”. In their report, they discussed issues related to invasive physical attacks on Thunderbolt™ hosts and devices. While the underlying vulnerability is not new and was addressed in operating system releases last year, the researchers demonstrated new potential physical attack vectors using a customized peripheral device on systems that did not have these mitigations enabled.

In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots).

The demonstration machine is a Lenovo Thinkpad P1. Such machines range up to 3840×2160 with up to 64GB of memory and Quadro graphics.

Using a low cost clip connector over the BIOS chip, it can be read and manipulated and restored. The result is that a machine is vulnerable. Clearly a complete redesign for Thunderbolt is needed. This will take time to secure the ROM and the interface. Breaking Thunderbolt Protocol Security: Vulnerability Report.

Years ago BIOS problems with older Lenovo machines tool copied ROMS, modified them and removed all of the restrictions and even added more memory speeds. UEFI with the Lenovo X230 secured the machine from fixing the whitelist but the machine otherwise is not problematic.

Microsoft’s official security recommendations recommend disabling sleep mode while using BitLocker. Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data.