Security researchers have discovered a serious vulnerability in the Thunderbolt port that is un-patchable in PCs built prior to 2019, reads a new report from Wired.
A commonly found port on many PCs has been found to have a major vulnerability that should leave many fearful of leaving their computers unattended in public spaces. The Intel Thunderbolt port – known by its lightning bolt symbol – allows for the quick transfer of data to and from a computer and has been installed on almost every new laptop and desktop computer since 2011.
Security researcher Bjorn Ruytenberg on Sunday revealed the so-called Thunderspy attack, which lets hackers read and copy data on a PC, even if it’s locked or asleep, in just a few minutes.
The newly discovered Thunderbolt vulnerability opens the door to what Ruytenberg refers to as an “evil maid attack” – an attack that can be executed if the hacker is afforded time alone with a device.
“All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop. All of this can be done in under five minutes,” he explained.
According to Ruytenberg, the Thunderspy technique only requires circa $400 USD worth of equipment, which can be used to rewrite the Thunderbolt controller’s firmware and override security mechanisms.
The Thunderbolt port has been utilized as a method of attack in the past. The Thunderclap vulnerability that was revealed last year allowed people to access people’s data by plugging a malicious device into a Thunderbolt port.
To prevent the previous Thunderclap attack, Intel created Kernel Direct Memory Access Protection, which also prevents Thunderspy. But there’s no Kernal DMA Protection on computers manufactured before 2019, and its implementation is spotty on devices made from 2019 or later. Only a few HP and Lenovo models from 2019 or later use it, and researchers couldn’t find Kernel DMA Protection on any Dell machines. It should be noted that Apple’s MacOS computers are unaffected.
Update May 12, 2020: Intel sent iPhone in Canada the following statement, saying, “This attack could not be successfully demonstrated on Kernel DMA protection enabled systems. As always, we encourage everyone to follow good security practices, including preventing unauthorized physical access to computers.”