A security researcher from the Eindhoven University of Technology, Björn Ruytenberg announced that there are vulnerabilities discovered in the Thunderbolt connection standard that could allow hackers to access the contents of a locked laptop within minutes. This not only referred to Windows computers, but also Apple Macs with Boot Camp installs of Windows and Linux.
A YouTube video posted by the same researcher also detailed how a hacker could get access to a locked Lenovo P1 as an example. He only needed a few minutes of physical access to the locked laptop, as well as “some easily portable hardware” to bypass a computer’s security mechanisms—even if it’s locked and its hard drive is encrypted. He named the vulnerability “Thunderspy”.
“Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep,” wrote Ruytenberg.
The process involves unscrewing the backplate of the laptop, interfacing with the Thunderbolt controller with a single-board computer, rewriting the controller firmware and disabling security features. As a result, Ruytenberg was able to bypass the password lock screen on the device in just five minutes.
While this vulnerability can’t be successfully done if you’re careful with where you put your laptop, there can be what security experts call an “evil maid attack”. The attack refers to the types of hacking that require physical access to a device, like a laptop left alone in a hotel room.
How Thunderspy affects Macs
The vulnerability, which is un-patchable by software, affects all Thunderbolt-equipped PCs manufactured before 2019. As for Macs, they are only “partially affected”. This means that hackers wouldn’t be able to get access Macs as long as a user is running macOS instead of Windows or Linux via Boot Camp. Macs running Windows or Linux on Boot Camp, however, are just as vulnerable as other PCs.
“Running Windows or Linux using the Boot Camp utility disables all Thunderbolt security. Therefore, your system is trivially affected by Thunderspy,” said Ruytenberg.
In Ruytenberg’s vulnerability disclosure procedure, Apple has also stated that some of the hardware security features Ruytenberg outlined are only available when users run macOS. If users are concerned about any of the issues in his paper, they recommend that people use macOS.
How do you check to determine if your system is vulnerable?
Ruytenberg has made available a free and open-source tool, Spycheck to determine if your system is vulnerable. If it is found to be vulnerable, the tool can guide you to recommendations on how to help protect your system.
“We have found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defences that Intel had set up for your protection,” he wrote. You can read more information about Spycheck here.
Ultimately, Ruytenberg says that the only way for users to fully prevent against such an attack is for them to disable their computer’s Thunderbolt ports in their machine’s BIOS, enable hard drive encryption, and turn off their computer when leaving it unattended. And while most macOS users are largely safe from the vulnerability, it’s still a good idea to avoid plugging in untrusted peripherals or storage devices.
We also previously reported that Microsoft decided against including Thunderbolt support due to the susceptibility of having a “direct memory access port”.