Bjorn Ruytenberg, a researcher at Eindhoven University in the Netherlands, identified a security flaw in the Thunderbolt port that could allow a hacker to break into a computer and access all of its data in a matter of minutes, even if the computer’s owner has taken security precautions.

“If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep,” Ruytenberg said in the report. He dubbed the hacking technique “Thunderspy.”

“Thunderspy is stealth, meaning that you cannot find any traces of the attack,” he said. The attack also does not require any engagement on the part of the computer’s user, unlike other types of attacks such as phishing.
Developed by Intel (INTC) in 2011, the Thunderbolt port enables fast data transfers. It is present on many PC and Apple laptops and — increasingly — some desktops. Although Intel recently developed a tool to address security concerns with the port, it isn’t available on computers manufactured before 2019.
Ruytenberg demonstrated the attack, which took just about five minutes, in a YouTube video published along with the report.

For its part, Intel says that if users take normal security precautions and don’t leave their computers somewhere a hacker could access them for even a few minutes — even if they have encrypted drives — they shouldn’t be too worried about this type of hack.

While the Thunderspy attack is technically possible on many computers with a Thunderbolt port, it requires that the hacker gains physical access to the computer for several minutes — enough time to unscrew the back panel of a laptop, plug in a device to the Thunderbolt and override security features, reattach the back of the laptop and then access the computer’s data.

Most people likely do not have valuable enough data on their computers for a hacker to want to carry out such a targeted attack. Even beyond Thunderspy, security experts have long warned of risks that could come from letting a hacker gain physical access to a computer.

A group of security researchers last year identified several vulnerabilities related to Thunderbolt ports. In response, Intel created a tool called Kernel Direct Memory Access (DMA) to mitigate such attacks, which was implemented into major operating systems from Windows, Linux and Mac in 2019, Jerry Bryant, Intel’s director of communications for product assurance and security, said in a blog post Sunday.

The underlying vulnerability identified by Ruytenberg’s Thunderspy technique is the same as those addressed by that mitigation tool, Byrant said in the post. The company added that Ruytenberg did not demonstrate successful attacks against machines with the DMA tool enabled.

However, Ruytenberg pointed out that systems released before 2019, as well as some newer systems without Kernel DMA protection enabled, could still be vulnerable to a Thunderspy attack. He released a free, open-source tool to help users determine whether their computers are at risk. Users can also contact their equipment manufacturers to see if Kernel DMA is enabled on newer devices.

“For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers,” Intel’s Bryant said. “As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt technology.”

Source Article