Thunderspy

The Thunderspy security vulnerabilities were first publicly reported by Björn Ruytenberg of Eindhoven University of Technology in the Netherlands on 10 May 2020.{{cite news |last=Ruytenberg |first=Björn |title=Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020. |url=https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf |date=17 April 2020 |work=Thunderspy.io |accessdate=11 May 2020 |archive-date=11 May 2020 |archive-url=https://web.archive.org/web/20200511032830/https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf |url-status=live }} Thunderspy is similar to Thunderclap,{{cite news |author=Staff |title=Thunderclap: Modern computers are vulnerable to malicious peripheral devices |url=http://thunderclap.io/ |date=26 February 2019 |accessdate=12 May 2020 }}{{cite news |last=Gartenberg |first=Chaim |title='Thunderclap' vulnerability could leave Thunderbolt computers open to attacks - Remember: don't just plug random stuff into your computer |url=https://www.theverge.com/2019/2/27/18243503/thunderclap-vulnerability-thunderbolt-computers-attack |date=27 February 2019 |work=The Verge |accessdate=12 May 2020 }} another security vulnerability, reported in 2019, that also involves access to computer files through the Thunderbolt port.

{{more citations needed|section|date=May 2020}}

The security vulnerability affects millions of Apple, Linux and Windows computers, as well as all computers manufactured before 2019, and some after that. However, this impact is restricted mainly to how precise a bad actor would have to be to execute the attack. Physical access to a machine with a vulnerable Thunderbolt controller is necessary, as well as a writable ROM chip for the Thunderbolt controller's firmware. Additionally, part of Thunderspy, specifically the portion involving re-writing the firmware of the controller, requires the device to be in sleep, or at least in some sort of powered-on state, to be effective.{{Cite web |last=Grey |first=Mishka |title=7 Thunderbolt Vulnerabilities Affect Millions of Devices: 'Thunderspy' Allows Physical Hacking in 5 Minutes - Do you own a Thunderbolt equipped laptop, and have bought it after 2011? Well, we've news for YOU. 7 newly discovered Intel Thunderbolt vulnerabilities have exposed your device to hackers. Learn what to do? |url=https://www.hackreports.com/7-thunderbolt-vulnerabillity-thunderspy-exploit-thunderbolt-hacked/ |date=13 May 2020 |work=HackReports.com |accessdate=18 May 2020 |archive-date=4 August 2020 |archive-url=https://web.archive.org/web/20200804174216/https://www.hackreports.com/7-thunderbolt-vulnerabillity-thunderspy-exploit-thunderbolt-hacked/ |url-status=live }} Machines that force power-off when the case is open may assist in resisting this attack to the extent that the feature (switch) itself resists tampering.

Due to the nature of attacks that require extended physical access to hardware, it's unlikely the attack will affect users outside of a business or government environment.{{cite news |author=codeHusky |title=Video (11:01) - Thunderspy is nothing to worry about - Here's why |url=https://www.youtube.com/watch?v=c9Z3hQh0NxY |date=11 May 2020 |work=YouTube |accessdate=12 May 2020 |archive-date=19 June 2020 |archive-url=https://web.archive.org/web/20200619195525/https://www.youtube.com/watch?v=c9Z3hQh0NxY&gl=US&hl=en |url-status=live }}

The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether. However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines.{{cite web |author=Staff |title=Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) - Microsoft 365 Security |url=https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt |date=26 March 2019 |work=Microsoft Docs |accessdate=17 May 2020 |archive-date=22 April 2020 |archive-url=https://web.archive.org/web/20200422022727/https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt |url-status=live }} Intel claims enabling such features would substantially restrict the effectiveness of the attack.{{cite news |last=Jerry |first=Bryant |title=More Information on Thunderbolt(TM) Security - Technology@Intel |url=https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/ |date=10 May 2020 |accessdate=17 May 2020 |archive-date=15 May 2020 |archive-url=https://web.archive.org/web/20200515131640/https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/ |url-status=live }} Microsoft's official security recommendations recommend disabling sleep mode while using BitLocker.{{Cite web|url=https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-security-faq#what-are-the-implications-of-using-the-sleep-or-hibernate-power-management-options|title = BitLocker Security FAQ (Windows 10) - Windows security}} Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data.

{{Reflist|colwidth=30em}}

• {{Official website|https://thunderspy.io/}}
• {{youtube|7uvSZA1F9os|Video (5:54) – Thunderspy: proof of concept}}
• {{youtube|c9Z3hQh0NxY|Video (11:01) - Thunderspy is nothing to worry about - Here's why}}{{cn|date=May 2020}}

{{Hacking in the 2020s}}

{{Portal bar|Business and economics|Computer programming}}

Category:Computer security

Category:2020 in computing