Thunderspy-A new way to hack PC/laptops using Thunderbolt port in under 5 minutes


Thunderspy vulnerability puts millions of Windows and Linux PCs/Laptops using Thunderbolt Ports at risk

If your Windows/Linux PC/laptop is manufactured before 2019 and has a Thunderbolt port, you are a risk of a highly leveraged hack attack. The vulnerability is so severe that if you leave your laptop alone with a potential hacker it can be hacked through its Thunderbolt component.

A Dutch researcher has demonstrated how “that sort of physical access hacking can be pulled off in an ultra-common component – the Intel Thunderbolt port found in millions of PCs”. The new attack method, dubbed Thunderspy, was discovered by Björn Ruytenberg of the Eindhoven University of Technology in the Netherlands.

Ruytenberg has discovered a total of 7 vulnerabilities in Thunderbolt port related to improper firmware verification, weak device authentication, the use of unauthenticated device metadata, downgrade attacks, unauthenticated controller configurations, SPI flash interface issues, and the lack of Thunderbolt security when using Boot Camp, the tool that allows users to install Windows on Apple computers.

What is Thunderbolt?

Thunderbolt is a hardware interface developed by Intel and Apple that allows the connection of external devices to your PC/laptop. Thunderbolt 1 and 2 use the same connector as Mini DisplayPort (MDP), whereas Thunderbolt 3 re-uses the USB-C connector from USB. Millions of laptops and desktop computers have Thunderbolt as a connection port. These millions of PCs/laptops are now left vulnerable to the Thunderspy attacks.

What is Thunderspy

Thunderspy is the name given by Ruytenberg to the attack vector for Thunderbolt ports. Ruytenberg has demonstrated a Thunderspy attack which showed how an attacker with physical access to a locked laptop can easily bypass authentication and gain control of the PC/laptop. Mind you, the vulnerability requires the hacker to physically access the PC/laptop. In the demo, Ruytenberg could bypass authentication and gain access to everything stored on the laptop in less than 5 minutes.

The attack process is called the Evil Maid Attack. An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device or the data on it.

This particular attack involved opening the device’s back cover, connecting a hacking device called a Bus Pirate to the SPI flash interface associated with the Thunderbolt controller firmware, connecting the Bus Pirate to the attacker’s laptop, copying the Thunderbolt firmware using a tool called Flashrom, modifying the Thunderbolt firmware to disable all Thunderbolt security, and writing it back to the targeted device.

Ruytenberg then connected the Thunderbolt-based direct memory access (DMA) attack device running PCILeech to the laptop. This allowed him to load the kernel module and completely bypass the Windows login screen.

PoC video

The proof-of-concept video is given below:

Ruytenberg has also listed a second method of attack involving Thunderbolt ports. In the second PoC video, Ruytenberg showed how a hacker can exploit some of the Thunderspy vulnerabilities to permanently disable all Thunderbolt security and block users from conducting firmware updates.

What makes the Thunderspy so devastating is that it may only require a hacker with a screwdriver and hacking knowledge to access any PC/laptop in the world in under 5 minutes. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” says Ruytenberg.

“Thunderspy is stealth, meaning that you cannot find any traces of the attack,” Ruytenberg explains “It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption.”

Which Windows/Linux PC/laptops are at risk?

All Windows PC/laptops manufactured after 2011 are at risk from Thunderspy attack if they have a Thunderbolt port — this includes USB-C and Mini DisplayPort ports with a lightning symbol next to them. However, some devices made and shipped from 2019 have Kernel DMA Protection, which mitigates some of the Thunderspy vulnerabilities. Ruytenberg listed the latest HP EliteBook and ZBook, and Lenovo ThinkPad and Yoga devices which have the Kernal DMA Protection.

Apple’s macOS PCs

Thankfully, Apple manufactured PCs are only vulnerable to this flaw if they run Linux or Windows installed through the Boot Camp utility.

Ruytenberg has published a research paper containing technical details. He has already made an open-source tool called Spycheck and can be visited for Windows here. Linux users can get it here.  Spycheck runs a scan and tells the users if their PC/laptops are vulnerable to the Thunderspy attack. It also provides recommendations on how to fix the flaw.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments