Thunderspy And Your Cybersecurity Program

A newly released set of vulnerabilities termed “Thunderspy” allow an attacker with physical access to your encrypted computer in sleep mode (not powered off and not hibernated) to take full control of your system utilizing a Thunderbolt port.

In this compelling video, Thunderspy’s author, Björn Ruytenberg, demonstrates bypassing the Windows lock screen in under five minutes using a set of Thunderbolt attacks.

Thunderspy will affect devices with ports that look like the ones shown below. A USB-C port is on the left and a Mini-DisplayPort is on the right. Notice the lightning bolt arrow icon next to the ports which indicates it features Thunderbolt connectivity.

Devices with regular USB icons shown below do not support Thunderbolt and are not affected by these vulnerabilities.

Thunderspy affects all devices with Thunderbolt ports shipped between 2011 and 2020. This includes all Apple Macs released from 2011 to now, except for MacBook models introduced in 2015 or later that have a single USB-C port and no Thunderbolt port. Many Windows-based systems are also affected.

Unfortunately, there is no software fix. If your organization relies on device encryption to protect laptops and other devices where physical security cannot be fully controlled, having a Thunderbolt port essentially enables a backdoor that bypasses the encryption.

So, here’s the good news: the attack is a relatively high bar given the attacker has to gain physical access to your device, disassemble it, and utilize specialized equipment. The video linked to above shows the Thunderspy author physically removing the back plate of the laptop to connect his equipment. The specialized equipment is needed to flash a malicious firmware and inject a kernel driver to pull off the hack.

Although the impact may be high, the likelihood will be low for most organizations unless you are a high-profile organization targeted by well-resourced (e.g. nation state) attackers.

Organizations and individuals that are not routinely targeted by well-resourced attackers can take the following reasonable precautions:

1. When purchasing new equipment, avoid devices with Thunderbolt ports.
2. Incorporate this threat into your security awareness content. Instruct users to power down a laptop instead of simply closing the lid when leaving their laptop unattended for longer periods of time. Also, instruct users to not connect untrusted devices to their system. This will not only help mitigate Thunderspy but a whole class of attacks that rely on plugging in a malicious device.
3. Disable Thunderbolt ports in the BIOS/UEFI settings if the option is supported by your system. Simply setting the Thunderbolt port security level to “Display Only” or Security Level 3 does not address this risk as Thunderspy can change these levels.
4. Enable Kernel Direct Memory Access (DMA) Protection in the BIOS/UEFI settings if the option is provided. In response to Thunderspy, Intel offered the following, “In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later).“

There is no on-size-fits-all approach to handling the Thunderspy risk. Evaluate the risk in terms of your own unique business environment and evaluate the compensating controls you have in place.

For more information on Thunderspy, see this website.

If you would like guidance or advice on how to structure your cybersecurity program to integrate threats like these, I am here to help and offer a free consultation.

To your security,
-Geoff