Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking

[Karlston]

Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking

The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and affects any PC manufactured before 2019.

New research shows that Intel's Thunderbolt port is vulnerable to so-called evil maid attacks on all but the most recent PCs.Photograph: Oleksiy Maksymenko Photography/Alamy

 

 

Security paranoiacs have warned for years that any laptop left alone with a hacker for more than a few minutes should be considered compromised. Now one Dutch researcher has demonstrated how that sort of physical access hacking can be pulled off in an ultra-common component: The Intel Thunderbolt port found in millions of PCs.

 

On Sunday, Eindhoven University of Technology researcher Björn Ruytenberg revealed the details of a new attack method he's calling Thunderspy. On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer—and even its hard disk encryption—to gain full access to the computer's data. And while his attack in many cases requires opening a target laptop's case with a screwdriver, it leaves no trace of intrusion, and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an "evil maid attack," the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there's no easy software fix, only disabling the Thunderbolt port altogether.

 

"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg, who plans to present his Thunderspy research at the Black Hat security conference this summer—or the virtual conference that may replace it. "All of this can be done in under five minutes."

 

'Security Level' Zero

 

Security researchers have long been wary of Intel's Thunderbolt interface as a potential security issue. It offers faster speeds of data transfer to external devices in part by allowing more direct access to a computer's memory than other ports, which can lead to security vulnerabilities. A collection of flaws in Thunderbolt components known as Thunderclap revealed by a group of researchers last year, for instance, showed that plugging a malicious device into a computer's Thunderbolt port can quickly bypass all of its security measures.

 

As a remedy, those researchers recommended that users take advantage of a Thunderbolt feature known as "security levels," disallowing access to untrusted devices or even turning off Thunderbolt altogether in the operating system's settings. That would turn the vulnerable port into a mere USB and display port. But Ruytenberg's new technique allows an attacker to bypass even those security settings, altering the firmware of the internal chip responsible for the Thunderbolt port and changing its security settings to allow access to any device. It does so without creating any evidence of that change visible to the computer's operating system.

 

"Intel created a fortress around this," says Tanja Lange, a cryptography professor at the Eindhoven University of Technology and Ruytenberg's advisor on the Thunderspy research. "Björn has gotten through all their barriers."

 

Following last year's Thunderclap research, Intel also created a security mechanism known as Kernel Direct Memory Access Protection, which prevents Ruytenberg's Thunderspy attack. But that Kernel DMA Protection is lacking in all computers made before 2019, and is still not standard today. In fact, many Thunderbolt peripherals made before 2019 are incompatible with Kernel DMA Protection. In their testing, the Eindhoven researchers could find no Dell machines that have the Kernel DMA Protection, including those from 2019 or later, and they were only able to verify that a few HP and Lenovo models from 2019 or later use it. Computers running Apple's MacOS are unaffected. Ruytenberg is also releasing a tool to determine if your computer is vulnerable to the Thunderspy attack, and whether it's possible to enable Kernel DMA Protection on your machine.

 

Return of the Evil Maid

 

Ruytenberg's technique, shown in the video below, requires unscrewing the bottom panel of a laptop to gain access to the Thunderbolt controller, then attaching an SPI programmer device with an SOP8 clip, a piece of hardware designed to attach to the controller's pins. That SPI programmer then rewrites the firmware of the chip—which in Ruytenberg's video demo takes a little over two minutes—essentially turning off its security settings.

 

 

"I analyzed the firmware and found that it contains the security state of the controller," Ruytenberg says. "And so I developed methods to change that security state to 'none.' So basically disabling all security." An attacker can then plug a device into the Thunderbolt port that alters its operating system to disable its lock screen, even if it's using full disk encryption.

 

The full attack Ruytenberg shows in his demo video uses only about $400 dollars worth of equipment, he says, but requires an SPI programmer device and a $200 peripheral that can be plugged into a Thunderbolt port to carry out the direct memory attack that bypasses the lockscreen, like the AKiTiO PCIe Expansion Box Ruytenberg used. But he argues that a better-funded hacker could build the entire setup into a single small device for around $10,000. "Three-letter agencies would have no problem miniaturizing this," Ruytenberg says.

 

The fact that Thunderbolt remains a viable attack method for evil maids isn't entirely unexpected, says Karsten Nohl, a well-known hardware security researcher and founder of SR Labs, who reviewed Ruytenberg's work. Nor should it freak out too many users, he says, given that it requires a certain level of sophistication and physical access to a victim machine. Still, he was surprised to see how easily Intel's "security levels" can be bypassed. "If you're adding an authentication scheme against hardware attacks and then you implement it in unsecured hardware...that’s the wrong way to tackle a hardware security problem," says Nohl. "It’s a false sense of protection."

 

Ruytenberg says there's also a less invasive version of his Thunderspy attack, but it requires access to a Thunderbolt peripheral the user has plugged into their computer at some point. Thunderbolt devices set as "trusted" for a target computer contain a 64-bit code that Ruytenberg found he could access and copy from one gadget to another. That way he could bypass a target device's lockscreen without even opening the case. "There's no real cryptography involved here," Ruytenberg says. "You copy the number over. And that's pretty much it." That version of the Thunderspy attack only works, however, when the Thunderbolt port's security settings are configured to their default setting of allowing trusted devices.

 

Ruytenberg shared his findings with Intel three months ago. When WIRED reached out to the company it responded in a blog post noting, as the researchers had, that Kernel DMA Protections prevent the attack. "While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device," the blog post reads. (The researchers counter that the vulnerability is in fact new, and their attack uses only off-the-shelf components.) "For all systems, we recommend following standard security practices," Intel added, "including the use of only trusted peripherals and preventing unauthorized physical access to computers."

 

An Unpatchable Flaw

 

In a statement to WIRED, HP said it offers protection against direct memory attacks via the Thunderbolt port in "most HP Commercial PC and Mobile Workstation products that support Sure Start Gen5 and beyond," which includes systems that have launched since the beginning of 2019. "HP is also unique in that we are the only [computer manufacturer] that provides protection against DMA attacks via internal card (PCI) and Thunderbolt devices," the company added. "Protection from DMA attacks via Thunderbolt is enabled by default."

 

Lenovo said that it "is assessing this new research along with our partners and will communicate with customers as appropriate." Samsung didn't respond to a request for comment. Dell said in a statement that "customers concerned about these threats should follow security best practices and avoid connecting unknown or untrusted devices to PC ports," and referred WIRED to Intel for more information. When WIRED asked Intel which computer manufacturers use its Kernel DMA Protection feature, it referred us back to the manufacturers.

 

Ruytenberg points out that the flaws he found extend to Intel's hardware, and can't be fixed with a mere software update. "Basically they will have to do a silicon redesign," he says. Nor can users change the security settings of their Thunderbolt port in their operating system to prevent the attack, given that Ruytenberg discovered how to turn those settings off. Instead, he says that paranoid users may want to disable their Thunderbolt port altogether in their computer's BIOS, though the process of doing so will be different for every affected PC. On top of disabling Thunderbolt in BIOS, users will also need to enable hard disk encryption and turn their computers off entirely when they leave it unattended to be fully protected.

 

Evil maid attacks have, of course, been possible in some cases for years. Firmware-focused security companies like Eclypsium have demonstrated five-minute physical access hacking of Windows machines using BIOS vulnerabilities, for instance, and WikiLeaks' Vault7 release included information about CIA tools designed to hack Macs' firmware with physical access techniques.

 

But both of those sorts of attacks are based on vulnerabilities that can be patched; the CIA's attack was blocked by the time news of it leaked in 2017. Thunderspy, on the other hand, remains both unpatched and unpatchable for millions of computers. The owners of those machines may now need to upgrade to a model that has Kernel DMA Protection in place—or think twice about leaving their sleeping computers unattended.

 

 

Source: Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking (Wired)

[zanderthunder]

Maybe this is the reason why Microsoft doesn't want Thunderbolt on their Surface lineup?
 

 

[Karlston]

Thunderspy: find out whether your device is vulnerable to (local) Thunderbolt security issues

Security researcher Björn Ruytenberg published a security analysis of the Thunderbolt protocol on April 17, 2020 entitled "Breaking Thunderbolt Protocol Security: Vulnerability Report". He discovered several security vulnerabilities in the Thunderbolt protocol that may be exploited by local attackers to access all data even on systems with encrypted drives and if the computer is locked or in sleep mode.

 

A total of seven vulnerabilities are revealed in the analysis; these affect "all laptop and desktop systems equipped with a Thunderbolt 2 and/or Thunderbird 3 family host controller employing Security Levels". All Microsoft operating systems from Windows 7 to Windows 10 and all Linux kernel releases from kernel 4.13 are affected. Apple Macintosh systems are affected partially only because of additional security measures that are in place by default.

 

Update: Intel responded to Thunderspy stating that newer versions of Windows 10, Mac OS X and Linux supported a feature called Kernel Direct Memory Access (DMA) protection which mitigated against attacks outlined in the research paper. Microsoft published an article about this here on its Docs website. On systems running at least Windows 10 version 1803, administrators may go to Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation details > Memory access protection to verify that memory access protection is enabled; this requires a UEFI firmware support and is not compatible with other BitLocker DMA attacks countermeasures. End

 

All attacks require brief local access to the system but the system itself may be locked or in sleep state. The paper describes several exploitation scenarios which all require local access to the device.

 

A program has been created by the researcher that checks devices with Thunderbolt ports. The application is available for Windows and Linux; the Windows version may be downloaded from the Thunderspy website. It is compatible with Windows 7 and newer versions of Windows, and with Linux kernel 3.16 and Pyton 3.4 and later on Linux devices.

 

 

Spycheck prompts you to identify the ports on the device which can either be USB-C or Mini-DisplayPort with lightning symbol or without lightning symbol. Hit the next button once you have identified the correct port to have it check that port. Devices without Thunderbolt ports will show up as "not vulnerable" automatically. Suggestions are displayed on how to address the issue if a device is found to be vulnerable by the application.

 

The researcher created demonstration videos; the first demonstrates how to unlock Windows PCs in 5 minutes by exploiting vulnerabilities.

 

 

The second video shows how to disable all Thunderbolt security on a Windows PC permanently.

 

 

 

Source: Thunderspy: find out whether your device is vulnerable to (local) Thunderbolt security issues (gHacks - Martin Brinkmann)

[zanderthunder]

Hmm....it seems the flaw is mainly on the software side, not the firmware side.

[Karlston]

Thunderspy: What it is, why it’s not scary, and what to do about it

Evil maids can use the Thunderbolt port to access your computer; many restrictions apply.

Enlarge

Haotian0905

46 with 29 posters participating, including story author

There’s a new attack that uses off-the-shelf equipment to take full control of a PC—even when locked—if a hacker gets just a few minutes alone with it. The vector is a familiar one: the Thunderbolt ultrafast interface connects graphics cards, storage systems, and other peripherals to millions of computers.

 

The hack, which took years to develop, is elegant. Its adept mix of cryptanalysis, reverse engineering, and exploit development punches a major hole in defenses that Thunderbolt creator Intel spent considerable time and resources to erect. Ultimately, though, the technique is an incremental advance in an attack that has existed for more than a decade. While the weakness it exploits is real and should be closed, the vast majority of people—think 99 percent—shouldn’t worry about it. More about that later. For now, here are the bare-bones details.

Accessing Memory Lane

Thunderspy, as its creator Björn Ruytenberg has named the attack, in most cases requires the attacker to remove the screws from the computer casing. From there, the attacker locates the Thunderbolt chip and connects a clip, which in turn is connected to a series of commodity components—priced about $600—which is connected to an attacker laptop. These devices analyze the current Thunderbolt firmware and then reflash it with a version that’s largely the same except that it disables any of the Intel-developed security features that are turned on.

 

With the defenses dropped, the hacker has full control over the direct memory access, a feature in many modern computers that gives peripheral devices access to the computer’s main memory. A Thunderspy attacker is then free to connect a peripheral that bypasses the Windows lock screen.

 

The following video shows the attack in more detail as it's used to gain access to a Lenovo P1 laptop that was bought last year:

Thunderspy PoC demo 1: Unlocking Windows PC in 5 minutes.

 

While the bypass in the video takes a little more than five minutes, an attacker would need more time to install persistent and undetectable malware, copy the contents of the hard drive, or do other nefarious things. The attack hasn’t worked against Apple Macs for more than three years (as long as they run macOS) and also doesn’t work on Windows or Linux machines that have much more recent updates that implement a protection, known as Kernel Direct Memory Access Protection.

 

Kernel DMA is the OS method for implementing the Input-Output Memory Management Unit, which is an Intel-developed mechanism that connects to a DMA-capable bus and controls or blocks accesses to memory, including preventing malicious transfers of memory by connected peripherals. The protection is generally abbreviated as IOMMU.

 

A variation of the attack involves getting access to a Thunderbolt peripheral that has already received permission to access the vulnerable computer. An attacker can clone the peripheral and use it to gain access to the DMA on the targeted machine. Here it is in action:

Thunderspy PoC demo 2: Permanently disabling all Thunderbolt security on a Windows PC.

 

Security practitioners have long made clear that an experienced adversary getting physical access to a device—even for a short amount of time—represents a game-over event. The only reasonable assumption is that the computer, phone, or other electronic device is compromised. The only meaningful response in this scenario is to discard the device, since it’s conceivable that the compromise involves the undetectable rewriting of firmware in one of the device’s many components (a hacking group dubbed Equation Group and linked to the US National Security Agency was doing this as early as the early 2000s).

 

Despite the admonition about physical access, some practitioners remain wary of so-called “evil maid” attacks, in which a housekeeper, co-worker, or government official gets fleeting access alone to a device. The evil maid threat is precisely the reason hardware and software developers—Intel included—have poured incalculable amounts of money into devising hard-drive encryption, chain-of-trust boot-ups, and similar protections. People who take Thunderspy seriously do so because it reopens this type of attack using hardware that came preinstalled on millions of devices.

Sabotage ain’t hacking

Even among those who buy into the evil maid threat, many are dismissing Thunderspy as a hack that stands out from other viable attacks in this category. Plenty of other firmware-driven computer components have similar access to highly sensitive computer resources. The chip that runs the BIOS—or the firmware that initializes hardware during the booting process—is a prime target for hackers who have physical access and the ability to remove case screws.

 

Another potentially simpler alternative is to remove the hard drive and backdoor the OS. If a computer has Trusted Platform Module or a similar protection that cryptographically ensures the integrity of computer hardware before loading the OS, the attacker can sniff the crypto key off the low-pin count bus, assuming a user hasn’t enabled a preboot password. Some Embedded Controllers that handle keyboard and power management are another target, as are other controllers (Thunderbolt or otherwise) if they have DMA access (e.g. Ethernet and USB3 controllers).

 

“There are seriously tons and tons of things you can do to a PC once you open the case,” says Hector Martin, an independent security researcher with extensive experience in hacking or reverse-engineering the Nintendo Wii, several generations of the Sony PlayStation, and other devices with strong defenses against physical attacks. “The evil maid threat model is interesting when you restrict it to plugging things into ports, because that can be done very quickly when e.g. the target is just looking away.”

 

Alfredo Ortega, a security consultant who specializes in vulnerability research and cryptography, told me largely the same thing.

 

He said:

I do not think this is a significant attack, because it requires physical access to the notebook, and if you have physical access to the computer, there are much simpler attacks that would have the same effect (for example, inserting a key-logger in the keyboard, hiding a mic inside the notebook, installing a malicious motherboard, etc.)

 

Specifically, I do not agree with the first claim in their paper "Inadequate firmware verification schemes" because the firmware is indeed verified adequately at flash time. If you can physically flash the chip, arguably you could flash any other chip in the notebook and remove all protections or even completely replace the notebook with a malicious one.

 

There are many pseudo-attacks like this one that also are not really very dangerous because they require physical access, for example, many so-called car-hacking attacks actually need to install dongles in connectors inside the cars. If you get inside the car, you could also cut the brake lines: a much simpler attack, with the same effect. This is the same concept.

 

This is really a form of sabotage, not hacking.

 

If they can find a way to remotely flash a malicious firmware, then yes, this would make this attack dangerous. But they couldn't do that at the moment, and they require disassembling the notebook.

 

While evil maid attacks that don't require disassembly are hard, they're not impossible. In 2015, security researcher Trammell Hudson created a device that, when plugged in to the Thunderbolt port of a fully updated Mac, covertly replaced its firmware. The feat, which required only fleeting access to the targeted machine, didn't require any disassembly or any access to an already trusted Thunderbolt device. Apple promptly fixed the flaw.

 

Ortega said Thunderspy does identify several weaknesses that represent real flaws in the Thunderbolt system, but he doesn’t consider the weaknesses significant. He noted that under the Common Vulnerability Scoring System, the weaknesses are rated a relatively low 7, an indication, he said, that others don’t believe the flaws are severe, either.

 

Critics also note that over the past decade there have been multiple attacks that target weaknesses in Thunderbolt to achieve largely the same result. Examples include this one and this one. One of the more recent ones is known as Thunderclap.

 

The reception to Thunderspy on social media has been even more scathing. A small sampling includes pretty much every tweet made over the past 48 hours from Pedro Vilaça, among the best-known macOS reverse engineers and hackers.

 

While the chorus of criticism has been nothing short of extreme, plenty of security professionals say Thunderspy is an important attack that should be taken seriously.

Intel assurances torn asunder

“People arguing that physical access to a computer means you've lost: why do you think laptops should not be at least as resistant to physical attack as an iPhone?” Matthew Garrett wrote on Twitter. In the same thread, fellow security researcher Saleem Rashid added: “ignoring the "physical access = game over" crowd, a practical concern is that you can open a laptop and make drastic hardware changes in a way you can't with a smartphone.”

 

 

Another researcher who has given Thunderspy his qualified approval is security researcher Kenn White. He was clear that the attack represents only an “incremental advance” in previous Thunderbolt evil maid attacks, but he said it’s nonetheless important. He summarized his assessment of the findings this way:

It's interesting to many in the community because it bypasses Intel's most recent mitigations and is clear proof that the physical security model for Thunderbolt, for millions of devices, is broken.

 

People who say "there are much easier ways to compromise a device" are correct, but that's not the point. Ignoring for the moment any undue exaggeration of impact, this is an incremental improvement in our understanding of complex interdependencies. Maybe not unexpected in principle by practitioners in this specialized space, but an incremental research advance nonetheless.

 

If a sufficiently resourced attacker can tamper with physical hardware of the victim, particularly for commodity x86 Windows systems, in general, yes, that system can be compromised. Specifically though with Thunderbolt, Intel makes specific anti-tampering security guarantees in their most recent firmware/software which have been bypassed here.

Meanwhile, White said, both Apple and Google have managed to implement settings that block many Thunderspy type physical DMA attacks, including USB-C, from working against Macs and Pixelbooks, respectively. “Apple and Google device engineers seem to have anticipated this issue and have stronger IOMMU defaults and therefore expose their users to less risk.”

 

For its part, Intel has published a statement that points out what Ruytenberg had already made clear—that Thunderspy is defeated by Kernel DMA protections, which were released last year for Windows (Windows 10 1803 RS4 and later) and Linux (kernel 5.x and later), and in early 2017 for macOS (macOS 10.12.4 and later, which came more than two years ahead of the Windows and Linux fixes). The statement also characterized Thunderspy as a new physical attack vector for an old vulnerability.

 

Left out of the post is something Intel has yet to acknowledge: that millions of computers remain stuck with an insufficient protection Intel once promised used cryptographic authentication to “prevent unauthorized Thunderbolt PCIe-based devices from connecting without user authorization.”

What’s a user to do?

Readers who are left wondering how big a threat Thunderspy poses should remember that the high bar of this attack makes it highly unlikely it will ever be actively used in real-world settings, except, perhaps, for the highest-value targets coveted by secretive spy agencies. Whichever camp has a better case, nothing will change that reality.

 

The truly paranoid can run tools here and here to check if their computers are susceptible. Users of computers that remain unprotected against this esoteric attack can then use their BIOS to disable Thunderbolt altogether.

 

The bigger impact of this research is the rift it has exposed among security researchers and the computer users who look to them for guidance in assessing hacking risks.

 

“I literally made one post just quoting [Wired’s earlier] story [on Thunderspy] and some guy sent me 65 replies/tags for six hours last night,” White said. “There's a lot of hostility out there.”

 

 

Source: Thunderspy: What it is, why it’s not scary, and what to do about it (Ars Technica)