A Dutch masters student has found vulnerabilities in the Thunderbolt input/output port hardware design that lets attackers fully bypass computer access security measures such as Secure Boot, login passwords and full-disk encryption.
Physical access to computers are required however, to perform the attack that MSc student Björn Ruytenberg named Thunderspy.
The attack [pdf] takes about five minutes, and leaves no traces otherwise.
Designed by Intel and Apple, and included in millions of Windows, Linux and Mac computers since 2011, Thunderbolt is a high-speed peripheral interconnect system that can daisy-chain up to six devices.
To achieve the high bandwidth of up to 40 gigabit per second, Thunderbolt devices use direct memory access (DMA) which researchers last year showed could be abused to fully take over computers.
Ruytenberg's Thunderspy is a collection of seven vulnerabilities that break Intel's Security Levels architecture for Thunderbolt versions 1, 2 and 3, which is allows users to authorise trusted devices only.
On Macs, running Windows or Linux within Apple's Boot Camp emulator disables all Thunderbolt security, making attacks trivial to perform.
By exploiting the vulnerabilties, Ruytenberg created nine practical exploits.
These allowed him to create arbitrary Thunderbolt devices, and to clone already user-authorised ones and to obtain PCIe bus connectiivty to perform DMA attacks.
It is also possible to permanently disable Thunderbolt security and block all firmware updates, Ruytenberg found.
Plugging in malicious Thunderbolt cables, USB-C to DisplayPort or HDMI video output dongles or external hard drives could let attackers break into the vast majority of recent laptops and desktops, if they have physical access to the devices.
Apple and Intel have been notified of the vulnerabilties, which appear to be unfixable as they are likely to require a hardware redesign.
To mitigate against the Thunderspy vulnerabilties, Ruytenberg suggests to implement physical security if it isn't feasible to disable the Thunderbolt controller entirely.
This includes only connecting your own Thunderbolt peripherals, and not lending them to anybody or leaving them unattended.
Users should not leave their systems powered on even with the screen lock enabled.
Suspend to disk hibernation or completely powering off systems instead of using suspend to memory sleep mode is also recommended for additional protection against Thunderspy exploitation.
Intel implemented kernel DMA protection last year which partially mitigates against Thunderspy.
The protective measure could reduce performance however, and in some cases causes compatibility issues with Thunderbolt devices that stop working, if their drivers don't support DMA remapping.
Whether or not the most recent version 4 of Thunderbolt, introduced by Intel this year, is vulnerable is unknown at the moment.
USB 4 that was introduced last year supports Thunderbolt-based signalling, and Ruytenberg advised users to exercise caution until hardware designed with the new peripheral interconnect protocols has been tested to ensure the current vulnerabilities are addressed.
There could be further Thunderbolt vulnerabilties arriving, as Ruytenberg is continuing his Thunderspy research with a second part.