Vulnerabilities discovered in the Thunderbolt connection standard could allow hackers to access the contents of a locked laptop’s hard drive within minutes.
The flaws allow an attacker to access data even when the machine is locked, and even when the drive is encrypted …
The vulnerabilities are present in all machines with Thunderbolt/Thunderbolt-compatible USB-C ports shipped between 2011 and 2020.
Although hackers need physical access to a Windows or Linux computer to exploit the flaws, they could theoretically gain access to all data in about five minutes even if the laptop is locked, password protected, and has an encrypted hard drive. The entire process can reportedly be completed with a series of off-the-shelf components costing just a few hundred dollars. Perhaps most worryingly, the researcher says the flaws cannot be patched in software, and that a hardware redesign will be needed to completely fix the issues.
The whole process takes about five minutes.
Björn Ruytenberg, the researcher who discovered the vulnerabilities, has posted a video showing how an attack is performed. In the video, he removes the backplate and attaches a device to the inside of a password-protected Lenovo ThinkPad laptop, disables its security, and logs in as though he had its password.
Nine ways to exploit them.
- Inadequate firmware verification schemes
- Weak device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backwards compatibility
- Use of unauthenticated controller configurations
- SPI flash interface deficiencies
- No Thunderbolt security on Boot Camp
There is no way to detect that a machine has been compromised.
Ruytenberg informed both Intel and Apple of his discoveries, but says that as the Thunderbolt security flaws are present in the controller chips, there is no way to fix the vulnerabilities via a software update.
If you intend to use Thunderbolt connectivity, we strongly recommend to: Connect only your own Thunderbolt peripherals; never lend them to anybody; avoid leaving your system unattended while powered on, even when screen is locked; avoid leaving your Thunderbolt peripherals unattended; ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays; consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).
To protect yourself, you should “avoid leaving your system unattended while powered on, even if screenlocked,” Ruytenberg wrote, avoid using sleep mode and ensure the physical security of your Thunderbolt peripherals.