All you need to know about preventing adversaries from exploiting the recently disclosed vulnerabilities in the Thunderbolt interface
In May 2020, Björn Ruytenberg, a computer security researcher at the Eindhoven University of Technology in the Netherlands, announced the discovery of Thunderspy, a series of vulnerabilities in the Thunderbolt technology and interrelated scenarios for changing – including disabling – the security level of the Thunderbolt interface on a computer and allowing an adversary with physical access to it to copy data off of it, even if full disk encryption (FDE) is used and the machine is locked with a password or sleeping in low-power mode.
While Ruytenberg’s research has (quite deservedly) received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim. In this article, we will explore practical methods to defend against it, as well as anti-tamper steps that can help ascertain if a computer has been physically compromised.
Thunderbolt is an interface for allowing high-speed connections between computers and peripherals such as external RAID arrays, cameras, high-resolution displays, multi-gigabit network connections, and expansion docks and cages for external video cards. Originally developed by Intel and Apple, it first appeared in the 2011 release of Apple’s MacBook Pro notebook computers. It was followed by Thunderbolt 2 in 2013, and Thunderbolt 3 in 2016.
Table 1. List of Thunderbolt releases
|Generation||Released||Intel Controller||Connector type||Speed|
|Thunderbolt||2011||Light Peak||Mini DisplayPort||20Gbit/s (two 10Gbit/s bonded lanes)|
|Thunderbolt 2||2013||Falcon Ridge||Mini DisplayPort||20Gbit/s|
|Thunderbolt 3||2016||Alpine Ridge||USB Type-C||40Gbit/s|
|Thunderbolt 3||2018||Titan Ridge (refresh of Alpine Ridge)||USB Type-C||40Gbit/s|
The technology that enables these types of high-speed connections between computers and peripherals is Direct Memory Access (DMA). Simply put, DMA allows peripherals to read and write directly to any location in a computer’s memory, bypassing CPU management overhead and delays while the CPU processes other interrupts and I/O requests, greatly speeding up the transfer of data. In this case, DMA is something of a two-edged sword: If the interface channel using DMA is not secured, there is the possibility for memory to be read from or written to in ways that impact the confidentiality, integrity or availability of information stored in it.
Understand that this does not mean that Thunderbolt technology, or utilizing DMA for transfers, is inherently insecure, but rather that the risks involved need to be carefully examined and modeled in order to defend against possible attacks. The use of DMA in PCs dates back to the design of the original IBM PC released in 1981 and may have been present in earlier computer designs as well. PCs have had several DMA interfaces over the years, from expansion cards like ISA, EISA, PCI, PCIe and VLB, floppy diskette and hard disk drive controllers, CardBus and ExpressCard on notebook computers, and so forth. DMA is a robust technique and one that can be implemented with security checks and balances.
If any of this sounds vaguely familiar, you may recall a WeLiveSecurity article from 2011, Where there’s Smoke, there’s FireWire, discussing DMA abuse using FireWire (IEEE-1394) interfaces in both PCs and Macs. And, it should be noted, there are other kinds of attacks on hardware as well, such as 2015’s Thunderstrike, which targeted the EFI ROM in Macs, and 2018’s Meltdown and Spectre speculative execution vulnerabilities in CPUs.
For an introduction to Thunderspy attacks, read the Thunderbolt flaws open millions of PCs to physical hacking on WeLiveSecurity. If you have not read that article, I strongly encourage you to read it before proceeding. With that proviso in mind, let’s look at the threat model for Thunderspy, what are realistic targets for an attacker, and perhaps most importantly, realistic defenses against those.
Ruytenberg provides two proofs of concept (sample code) for Thunderspy that accomplish two different tasks:
- Clone the identities of Thunderbolt devices allowed by the computer.
- Permanently disable Thunderbolt security.
The first cloning attack is like thieves who steal a key to a lock and then copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of “bricking” a chip. In this case, disabling Thunderbolt’s security levels and then write-protecting the changes made so they cannot be undone.
Cloning requires plugging custom Thunderbolt hardware into the target computer and/or disassembling the target computer in order to attach an SPI programmer to the Thunderbolt chip’s SPI flash ROM chip cabled to an SOIC clip adapter. Bricking the chip requires use of the SPI programmer and cable clip adapter, too.
Additional attack scenarios require running software and/or obtaining information about firmware versions on the target computer.
In case it is not clear from the description above, these types of attacks are not done simply, since actual in-person access to the computer is required, along with the tools to disassemble the physical computer, attach the logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. All without the computer owner noticing this has occurred (and, of course, not accidentally damaging the computer in the process).
Because of the time and complexity of this type of activity, it is known as an “evil maid attack,” a type of attack first described by computer security researcher Joanna Rutkowska. As envisioned, it implies the attacker entering a hotel room while the victim is not present and using a USB implant to exploit the computer. While such attacks may seem more like science fiction than science fact, physical wiretaps requiring an on-site visit were a common investigative technique before telephone networks changed from circuit-switched to packet-switched networks that could be tapped on the backbone, so there is historical precedent going back decades.
So, with an understanding of the background and how attacks are performed: who exactly could be the victims of Thunderspy-based attacks? Some of these would be high-value targets, who are pursued by nation-state intelligence or law enforcement agencies, either through their own tooling or that purchased from defense contractors or other members of the “lawful interception” ecosystem, but that may not always be the case. The motive might be a commercial one, such as industrial espionage.
In the past, high-value targets have included such disparate groups as aerospace, energy, journalism, military, and political sectors, all victimized by highly determined adversaries. Attacks can target any market sector and occupation, though, and not only company executives: engineers, administrative personnel and even frontline employees may be targets of opportunity. While those may seem like very unrelated groups of industries and people, they have all been targeted by highly determined adversaries, and are often the first to be exposed to advanced persistent threats, zero-day attacks and so forth. ESET researchers have described several of these attacks here on WeLiveSecurity.
But not all targets may be globe-trotting executives who leave their laptops in their hotel rooms when they go out for dinner. An unsecured computer anywhere on a company’s network may be a point of ingress for an attacker. Consider the following scenarios:
- An executive who travels globally with a laptop but leaves it alone in a hotel room when going out for the evening.
- A desktop computer that is located at the front desk of an office’s reception area, with all of its ports exposed along its back.
- Service bureaus where people bring in external storage media to attach for 2-D or 3-D printing.
- Point of Sales (PoS) systems used as cash registers. These are usually based on PC architectures and use the same types of ports and connectors. While they may not run conventional versions of Windows or Linux, they may run industrial or embedded versions.
- Electronic voting machines that can be easily opened or have their ports accessed when used at polling locations without the knowledge of voting officials.
In some instances, it may be possible to come up with a pretext to get a receptionist or cashier to leave a computer unattended for enough time to plug in a device, although additional work may need to be done in multiple stages, requiring the adversary’s personnel to make more than one visit in order to identify computers, routes and best times to perform the attack and obtain any additional information from the target site needed for successful execution. In other cases, such as that of e-voting machines, one would normally expect to be left uninterrupted and unattended while using the device to vote.
A special case is journalists, as well as employees of NGOs and businesses, who may travel into areas with authoritarian regimes or countries known for commercial espionage. These people may not be able to deny a request by the government to hand over their equipment for a security check. In case you have employees in this situation (or are in that situation yourself), you should only travel with equipment that is “burnable”: it should contain only the minimum amount of information needed for that specific trip. As soon as you return, any devices should be considered completely compromised and not be used again. Also, any accounts used from the devices should have their passwords changed immediately upon return, and two-factor authentication reset and re-authorized.
To defend against hardware attacks requiring physical access to the system, you first need to determine the threat model that applies. In each of the examples given above, the level of exposure and opportunity to an attacker is going to vary greatly. It is also important to decide whether the goal of the defender is to protect against an attack or make evident that a physical attack occurred.
With those in mind, let us look at how one could defend against each of the above scenarios:
- Executives are now required either to take their laptops with them everywhere they go – or to have trusted colleagues hold on to them, to ensure custody at all times.
- Purchase desks for the reception area where the computer’s vulnerable ports are not accessible to the public.
- DMA-based interfaces such as Thunderbolt, Firewire, ExpressCard and so forth, are no longer allowed to be used at a service bureau. Furthermore, the service bureau must segment their network with a DMZ for all computers used with clients’ storage media.
- Keep PoS machines in tamper-resistant enclosures or lockboxes where the computer’s vulnerable ports are not accessible to the public.
- Protect voting e-machines with cases that prevent the computer’s vulnerable ports from being exposed to the public. This could also include cases which are difficult to open within the confines of a closed voting booth.
Additionally, the physical security of a stationary computer can be augmented by physical security systems in the office using cameras, motion sensors, alarms and other features. It may not be possible to take these types of steps in all scenarios – especially in high-traffic areas, or if computers need to be periodically moved, and so forth. It is still possible to come up with methods to increase the amount of time it takes for an adversary to gain physical access to a computer’s internals, or to make the tampering more apparent:
- Consider securing the computer with high-security screws. By these, we do not mean snake-eye, TORX® Security, tri-wing or other types of commonly-available security screws for which security bit sets can be readily purchased, but custom screws and bits like this or this, which can be unique to your company.
- While USB Type-C ports used by Thunderbolt 3 are still comparatively new, port blockers such as this or this are available, and if they cannot outright prevent an adversary from accessing a computer’s Thunderbolt 3 ports (or Mini DisplayPort blockers for Thunderbolt and Thunderbolt 2 ports), they can at least delay an adversary’s ability to access them. If a port blocker is missing and the port it goes into is damaged, at least the defender is now aware the computer has been breached. That assumes regular inspections of the computer are done frequently enough to detect signs of tampering. For example, a computer in the reception area might be checked at the beginning of each shift, while a computer behind multiple locked doors might be checked every few days. The exact amount of time between inspections should be determined based on risk to the person (or organization).
- As a last resort, consider blocking ports with epoxy, removing connectors by de-soldering them, cutting their circuit traces on the computer’s system board, and so forth. Doing so may damage the computer, so consider this option very carefully before proceeding. Also, you will most certainly void the computer’s warranty. But if you’re one of the high-risk individuals at whom such attacks might be directed, you care a lot more about your computer’s security than you do about a voided warranty.
- If you cannot physically block or remove the Thunderbolt 3 ports, disable them in the computer’s UEFI (formerly known as BIOS) setup program.
NOTE: Links given in the bullet points above are for representative purposes only, and not a recommendation by ESET for a specific brand, company or service.
Methods such as these may also be cost-prohibitive depending upon the number of computers the defender has to protect, and the budget. If you cannot deter the adversaries or increase the amount of effort it takes for them to perform a physical attack, you may at least be able to make a physical attack more readily identifiable through tamper detection mechanisms:
- If your computer has anti-tamper features to notify you when the case (chassis) has been opened, enable this feature. Keep in mind, a determined adversary might clear the warning before the victim is aware.
- Anti-tamper or security stickers are not recommended by themselves, as an attacker may have an easy way to remove them or have a replacement chassis and stickers ready to reapply. However, using anti-tamper stickers does increase the attack cost, and it may be augmented with other anti-tamper mechanisms such as, believe it or not, nail polish.
- Paint screws and the areas around them with pearlescent or sparkly nail polish that dries in a unique pattern. If a screw is removed, the polish is cracked and even if repainted, it will not be the same pattern as before. If the nail polish chips easily, consider covering it with clear coat or even epoxy for ruggedness. Take photos after the nail polish has dried and print these out as a photo which can be stored in a vault or a lockbox, as well as a wallet or purse, etc., for comparison in the future. It is not recommended that the photos be kept solely in digital format, as the attacker may have a way to tamper with those as well.
Aside from physical anti-tamper mechanisms, look into steps you can take to make the computer’s firmware and software more secure.
Here are a few general steps to start with:
- If you are using an end-of-life operating system such as Windows 7, upgrade to a newer operating system that continues to receive security updates, such as Windows 10.
- Update your computer’s firmware to the latest version available from the manufacturer’s support website. Keep in mind that firmware isn’t limited to your motherboard’s BIOS or UEFI. Video chips, network interfaces, touchpads, and LCD controllers are just a few of the peripherals in a modern computer that can have updateable firmware. Keep in mind that other devices such as smartphones, tablets, routers and modems have their own firmware, too, and may require updates as well.
- If your computer has them, enable features such as the TPM security chip (or similar chips which provide hardware attestation features), chassis intrusion detection, and set up different passwords for powering on, enabling access to its drive(s) and to enter the UEFI firmware setup interface.
- Turn off Bluetooth and Wi-Fi when not using them, or remove them entirely. In most desktops and laptops, the radio modules for these are on a replaceable card that can be removed from the system. If the radio modules have been removed, there are Wi-Fi and Bluetooth USB adapters that can be connected for temporary access.
- Disable hibernation, sleep, standby, suspend and other hybrid “shutdown” modes, where the computer remains running in a low-power state or writes the contents of memory to a hibernation file before powering down. Modern computers default to these “pseudo-off” modes in order to start up more quickly, however, they may increase the computer’s vulnerability to an attacker. Use the computer as you normally would, but when it is not in use, turn it fully off so that it remains off with nothing stored in memory or in a hibernation file that attackers might be able to read if they obtain physical access to the computer.
Check with your computer or operating system vendor for instructions on how to disable these features, which may have numerous settings and vendor-specific names such as Connected Standby, Fast Sleep, InstantGo, Modern Standby, Suspend-to-RAM, and so forth. Windows should automatically remove any memory image files associated with hibernation when the function is disabled; if using a different operating system such as macOS, check with its developer to see if additional steps are required to remove hibernation or sleep memory image files. A restart may be needed for this change to take effect.
- Look into using full disk encryption (FDE) on both internal drives and removable media. While Ruytenberg’s research showed that FDE could be bypassed while the computer was locked or in sleep mode, it remained secure when the computer was completely turned off.
- Replace computers that use legacy BIOS firmware with ones to those with modern UEFI firmware. While UEFI does have vulnerabilities, it is still more secure than BIOS-based firmware.
- If replacing a computer, consider purchasing one without DMA-capable interfaces, such as Thunderbolt, ExpressCard and FireWire ports. While these can often be disabled in the computer’s firmware setup, keep in mind that an attacker with prolonged access to the computer may attempt to re-enable them.
- Check to see if your computer’s hardware and operating system is using Kernel DMA Protection. Introduced in Microsoft Windows 10 Version 1803 and Apple macOS Sierra 10.12.4, Kernel DMA Protection leverages the Input-Output Memory Management Unit (IOMMU) feature of modern CPUs and chipsets to virtualize DMA connections from interfaces such as Thunderbolt.
- Use security software from a reputable provider that can scan your computer’s UEFI firmware, one of the locations where Thunderbolt security information is stored.
- If the computer is a laptop, keep it with you at all times and never leave it unattended. For example, when you are travelling, the computer goes with you wherever you go. Not just to appointments, client meetings or to conferences, but with you for meals, evening events and so forth. If the attacker cannot gain physical access to your computer, it becomes exponentially harder to exploit using techniques that require direct access to it.
It may not be possible to stop truly determined adversaries, particularly if you are an individual or small organization and they have the resources of a large corporation or even a nation-state. But what you can do is make it harder for their attacks to succeed, and possibly inform you that an attack was attempted.
Attacks such as Thunderspy are the province of sophisticated and determined adversaries, and most people will never be exposed to such a threat in their lifetimes.
If you are one of the unlucky few who might be targeted, defending against such attacks means not just taking the practical approaches outlined above, but understanding why the adversary has targeted you in the first place, and what you may be able to determine about them from previous attacks they have performed.
Trying to understand the threat posed by that adversary is the first step to defending against them. In order to start answering that, start by determining what their goal is. A determined adversary may, for example, target a freelance journalist and an election voting system. The underlying reason for those attacks may be the same, and they may or may not involve using similar or shared resources. However, the mechanics of deploying the attack may be very different.
The capabilities and resources of the defender can vary greatly, as well. To look at the examples above, an individual is going to have significantly fewer capabilities than a government agency if both are being targeted. Thus, their abilities to protect their computing devices are likely going to not just vary, but vary dramatically.
The attacks discussed in Ruytenberg’s Thunderspy research are for Thunderbolt 3 and earlier, but it is important to note that it may be too late in the design cycle of Thunderbolt 4 (and USB 4.0, which is derived from Thunderbolt 3) for manufacturers to completely implement protections against Ruytenberg’s attacks. The Thunderspy attacks may not be completely mitigated in Thunderbolt 4 until that technology is refreshed and in its second generation. This does not necessarily mean that you should skip the initial first generation of Thunderbolt 4 technology because it might be insecure; it should, in fact, be more secure than current versions of Thunderbolt 3. It does, however, mean that you should already be planning ahead to replace those devices if and when a more secure version of Thunderbolt 4 (or its successor) arrives.
Special thanks to my colleagues Tony Anscombe, Petr Blažek, Jean-Ian Boutin, Bruce P. Burrell and Kim Schulz, Nick FitzGerald, Matej Lupták, Tomáš Materna, Kirk Parker, and Tomáš Štefunko for their help with this article.
Aryeh Goretsky, rMVP, ZCSE
Distinguished Researcher, ESET