Intel has had a rough time with its Thunderbolt port technology. The device, which offers faster speeds of data transfer to external devices by allowing more direct access to a computer’s memory than other ports, had been eyed by security experts for the threat it may pose to privacy. However, the latest discovery by Björn Ruytenberg of Eindhoven University of Technology, can bypass all of Intel’s efforts to fortify this vulnerability, in a matter of mere minutes.
A collection of flaws in the Thunderbolt technology, called Thunderclap, were revealed last year by a group of researchers. This included plugging a malicious device into a computer’s Thunderbolt port , which can quickly bypass all of its security measures.
Researchers advised that users can protect their data, by turning on the innate security features of Thunderbolt, known as “security levels”. Using this, users can limit access to the technology, disallowing access to untrusted devices or even turning off Thunderbolt altogether in the operating system’s settings. If an unknown device was plugged into the port, it would turn to a simple USB and display port.
However, Ruytenberg has found a way to bypass that. Under the method used by him, a hacker can gain access to the contents of a PC in mere seconds, by opening up the back panel and planting a device. This device will , alter the firmware of the internal chip responsible for the Thunderbolt port and changing its security settings to allow access to any device. Moreover, after an attack, no traces are left behind, making it the perfect crime.
Ruytenberg’s process includes opening the back panel of a device via a screwdriver and attaching an SPI programmer device with an SOP8 clip to it. This device would alter the firmware installed by Intel, and allow all devices to access the Thunderbolt port. Thus, enabling the “security levels” feature becomes useless. In the video posted by Ruytenberg, he was able to perform this action with a tool set costing just $400. However, the set up also needed an SPI programmer and $200 worth of peripheral that can be plugged into a Thunderbolt port.
Moreover, Ruytenberg claims that a hacker with a better budget could possibly build a much smaller kit for about $10,000, thus making attacks more sophisticated.
Now, Intel was aware of the flaw exposed by Ruytenberg, and had created a security mechanism called Kernel Direct Memory Access Protection. This feature would prevent a Ruytenberg attack (that’s what we are going to call it), and any threats to a user’s security. So in retrospect, one would think that Intel has already patched this up. Then why is this news so important?
Well, Intel’s response was too little too late, as the firmware only started rolling out in devices launched in 2019 or after. Moreover, some of the laptops produced even after 2019 do not have the security mechanism. WIRED reports that Eindhoven researchers could not find any Dell laptops compatible with the Kernel DMA Protection.
Intel said in a blog post, “While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device.” The company also suggested users to follow “standard security practices”, which is just a fancy way to say that the company does not have an answer yet.
Ruytenberg also said that no software update can patch this issue, and Intel has to get back to the drawing board and make hardware changes to fix this issue.
Ruytenberg plans to present his Thunderspy research at the Black Hat security conference this summer, if it happens.
