Since about half of my contacts have reached out to me regarding an article that appeared on The Verge regarding a vulnerability on computers that have Intel’s Thunderbolt chipsets and were manufactured through 2019 and may have an exploitable flaw that would allow a hacker access to your files. I will respond directly that, yes, there is a hardware-specific flaw that would allow a hacker to access your files, bypassing any and all restrictions and security measures.
To make sure that this was not something new I reached out to Intel’s Thunderbolt team for comment. In a short blog post by Intel’s Jerry Bryant mentions the intrusion by the Eindhoven University of Technology, dubbed “ThunderSpy” where they show a new vulnerability via a physical attack on systems that have not upgraded. The blog post also reminds users “In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later)”
So most media and entertainment users can relax, because not every security flaw affects everyone in the same manner. The ThunderSpy vulnerability requires the hacker to make a dedicated, specific attack on your physical device. This vulnerability is not a sniffer, a snooper, it is not logging your keystroke or a bot to steal your data, and as indicated in the video. A hacker would need to build a device to capture then re-write the boot sequence from the chip itself. Then the hacker would need to write or modify an existing application to override the boot sequence in a forced bypass of the normal startup process so that it can rewrite the chip’s programming while needing to be in physical contact with your computer for not quite 10 minutes while they dismantle it to gain access to the physical chip.
The first versions of this issue came to light in 2014 via the BadUSB exploit, one that stems from an “invisible” microcontroller in most USB devices, where a modified USB adapter was able to redirect the computers network traffic to new Domain Network Server (DNS) assignment address, giving the hacker access to the computer and network infrastructure just by attaching a USB device to your computer. It is also the reason that starting in late 2014 that Operating Systems started requiring users to manually acknowledge that a new device was attached and wanted access to your computer. The OS then maintains an internal archive of each peripheral device’s MAC address that you have given the “always connect” status too, protecting from a “drive-by” exploit from malware that infects your system during boot.
This type of exploit is hardly new. These Direct Memory Access (DMA) attacks, can also happen via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and others. They have existed as long as there has been this level of PCI level bus connectivity. PCI devices are DMA-capable, allowing them to directly read and write to system memory at will, without having to engage the system processor (or security subsystems) in these operations. The DMA capability is what makes PCI devices capable of the highest performance in devices available today. Historically these devices have only existed inside the computer, either connected as a PCI card or soldered directly on the motherboard. Access to these devices required the user to turn off power to the system and disassemble the chassis. Today, this is no longer the case with Thunderbolt™ and USB enabled workflows.
In closing, remember that no computer is truly secure, especially if someone else has physical access to it. But in all honesty, the ThunderSpy flaw is only dangerous if you were to lose your computer or if you are working on a secret government pandemic project, but for the vast majority of users, simple due diligence will protect them and their data from this exploit, for now at least.