Dubai – ESET has published a comprehensive overview of risks stemming from Thunderspy, a series of vulnerabilities in Thunderbolt technology, and possible protections. Via Thunderspy, an attacker can change – possibly even remove – the security measures of the Thunderbolt interface on a computer. As a result, an attacker with physical access to the target computer can steal data from it, even if full disk encryption is used and the machine is locked with a password or sleeping in low-power mode.
Thunderspy was discovered by Björn Ruytenberg, a computer security researcher, in May 2020.
“While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim,” points out Aryeh Goretsky, ESET Distinguished Researcher.
In his article “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe,” Goretsky briefly explains the technical background for Thunderspy but focuses primarily on practical methods to defend against it.
Thunderbolt-based attacks are very rare because they are, by their nature, highly targeted. “The fact a typical user will not get into an attacker’s crosshairs doesn’t mean everyone is safe. For many, following some of the admittedly draconian recommendations we describe in our article really makes sense,” comments Goretsky.
There are two types of attacks against the security that Thunderbolt relies on to maintain the integrity of a computer. The first is cloning the identities of Thunderbolt devices that are already trusted and allowed by the computer. The second is to permanently disable Thunderbolt security so that it cannot be re-enabled.
“The cloning attack is like thieves who steal a key and copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of bricking a chip. In this case, permanently disabling Thunderbolt’s security levels and write-protecting the changes so they cannot be undone,” explains Goretsky.
Neither type of attack is done simply, since actual in-person access to the target computer is required, along with the tools to disassemble the computer, attach a logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. Such attacks are a type of “evil maid attack,” implying the scenario of the attacker entering a hotel room while the victim is not present to conduct the attack.
The necessity to physically tamper with the computer limits the range of potential victims to high-value targets. Some may be pursued by nation-state intelligence or law enforcement agencies, but also business executives, engineers, administrative personnel or even frontline employees may be targets of opportunity if the attacker has some commercial motive, such as industrial espionage. Under oppressive regimes, politicians, NGOs and journalists are also possible targets for advanced threats like Thunderspy.
To defend against Thunderspy, just like any other hardware attacks requiring physical access to the system, it’s important to decide whether the goal of the defense is to make it evident that a physical attack occurred, or to protect against it.
Protection methods against Thunderspy attacks may be divided into separate categories. “First, prevent any unauthorized access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure,” summarizes Goretsky.
The article “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe” contains many practical pieces of advice on improving the security against the theft of data by Thunderspy, including one that stands out as simple yet relatively powerful.
“Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy,” recommends Goretsky.
Aside from all other security measures, users employ security software from a reputable provider that can scan the computer’s UEFI firmware, one of the locations where Thunderbolt security information is stored.
For more information, please read “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe” at WeLiveSecurity.com.
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.
© Press Release 2020
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.