Zit Seng's Blog

A Singaporean's technology and lifestyle blog

The Thunderbolt Security Problem

Security vulnerabilities are often hard to understand. Some, like these vulnerabilities with Thunderbolt ports, are important enough that we should raise awareness even amongst non-techies. If the lock on your front door can be circumvented, you’d want someone to tell you.

The security issues surrounding Thunderbolt ports are complicated. Since the intent of this post is to reach out to non-techies, let me keep things simple and get to the point

First, this problem affects only computers with Thunderbolt ports. This is a port that physically resembles a USB Type-C port or Mini DisplayPort, and usually marked with a lightning symbol. A Google image search will help you identify these Thunderbolt 3 and Thunderbolt 2 ports. You can also refer to the Wikipedia page on Thunderbolt.

If you don’t have a computer with Thunderbolt ports, you can breathe a sigh of relief. However, you may still be interested in case you might be getting a new computer. Read on, so you can be better informed.

There are quite a few security problems with Thunderbolt, including Thunderclap and Thunderspy. We are presently concerned about the latter, which actually comprises a series of seven vulnerabilities that can broadly grouped into two categories.

The more severe of the two categories are particularly worrying, because they may never get fixed. If you have an affected computer, no Windows update or anti-virus software is going to remedy the problem. The hardware is broken, and it can’t be fixed. For clarity, this post is primarily focused on this more serious category of vulnerabilities.

There are a few exploit scenarios. If a malicious person has access to and can plugin a device into the Thunderbolt port of your computer, he can gain access to the entire memory contents. This is known as a Drive-By DMA attack, and typically takes less than 10 minutes. This can happen because Thunderbolt essentially provides a PCIe bus, an expansion bus that is typically entirely inside a computer, to external devices. A malicious device can get unimpeded direct access to the computer’s memory.

There’s also a slightly more involved exploit that requires reprogramming the Thunderbolt chip. Watch this Youtube video demonstrating a Thunderspy attack that gains access to a locked Windows computer without needing the account password.

There’s some good news, but only for some newer computers manufactured in 2019 and later. These may have support for a security feature known as Kernel DMA Protection. You’ll also need to run Windows 10 version 1803 or newer, which is old enough that shouldn’t be a problem for most users.

You can check if you have Kernel DMA Protection enabled in Windows 10.

On hardware that do not support Kernel DMA Protection, unfortunately, there is no fix. You can mitigate the problem by disabling Thunderbolt in BIOS, and remember to lock your BIOS, so that a malicious person cannot re-enable it. If the hardware only has Thunderbolt 3 / USB Type-C ports, disabling Thunderbolt will also likely disable the USB functionalities, which may be a severe limitation for some people.

Unfortunately, this is the deal we’ve been handed. Thunderbolt is somewhat broken. It can be fixed, but you’ll need new hardware, and if you do that, you should check if they do indeed support Kernel DMA Protection. Or, get a computer without Thunderbolt ports.

At this point, I suppose some people would be relieved to have a notebook without Thunderbolt support. Microsoft’s Surface devices, even including the latest Surface Go 2 and Surface Laptop 3 expected next month, still lack Thunderbolt ports.

Microsoft allegedly avoided Thunderbolt due to its lack of security. I think that’s a weak excuse. Mac computers are not vulnerable to this more serious category of flaws, provided you run a current version of macOS (as opposed to Windows via Boot Camp).

Let’s also not forget that there is still the less severe category of vulnerabilities. These issues are largely not different from similar vulnerabilities that affect USB (e.g. BadUSB). The advice here is to never connect untrusted devices to your computer, and always lock or shutdown the computer if you leave it unattended.

It’s always important to adopt best security practices. Unfortunately, there are some circumstances when even the best security practices are not good enough.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

View Comment Policy