As many as seven security flaws have been discovered that affect computers that use Thunderbolt ports. Machines ranging from 2011 to all the way 2020 are mainly at risk, including modern Macs.
Security researcher Björn Ruytenberg found the vulnerabilities that can potentially expose data even when a computer is locked and its storage encrypted.
Even worse, there’s no way to know whether a machine has been compromised and accessed thanks to this issue.
Thunderspy is stealth tech, you cannot find any traces of the attack. No involvement required, i.e., there is no phishing link or malicious hardware that the attacker tricks you into using. Thunderspy works even if use best security guidelines like locking or suspending your computer when leaving briefly, and even if you add these to the device like Secure Boot, strong BIOS, and account passwords, and even enabling full disk encryption. All it takes is just 5 minutes with the computer, a screwdriver, and some easily portable hardware.
All of that means that there are as many as nine different potential scenarios that could lead to data being collected.
These vulnerabilities lead to nine practical exploitation scenarios. Model having threat and many Security Levels, it demonstrates the power to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices and resulting in PCIe connectivity to DMA attacks. It also shows unauthenticated overriding of Security Level configs, which includes the option to disable Thunderbolt security completely, and restoring Thunderbolt connectivity if the system is limiting to exclusively pass-through USB and/or DisplayPort. By demonstrating the power to permanently disable Thunderbolt security and block all future firmware updates.
However, it appears that Intel and its partners were already aware of the vulnerabilities, even patching them in versions of Windows 10, macOS, and Linux. According to Intel, the research carried out and reported on today does not show a machine being compromised when this mitigation is in place.
In 2019, the main OS’s added Kernel Direct Memory Access protection to mitigate against attacks such as these. Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and macOS (macOS 10.12.4 and later) are included. DMA demonstration was not successful against systems attacks with these mitigations enabled. Please check that your system manufacturer to check if your system has these mitigations incorporated.
Ultimately, this leads us to the same response we always have with these kinds of things. Make sure that you’re running the latest version of macOS, Windows 10, or Linux that is available for your particular setup and if it doesn’t meet the level outlined by Intel, consider upgrading.