Thunderbolt Bug Lets Hackers Steal Your Data in 'Five Minutes' (thenextweb.com) 92
A new set of flaws discovered in the Intel Thunderbolt port has put millions of machines at risk of local hacking. This new research by Eindhoven University's Bjorn Ruytenberg suggests that if a hacker gains access to a machine for just five minutes, they could bypass login methods to gain full data access. From a report: Thunderbolt ports are present in machines with Windows, Linux, and macOS. So, that covers a lot of computers. Ruytenberg said all Thunderbolt versions and systems shipped between 2011 to 2020 are affected and no software patch can fix these vulnerabilities. So, Intel would need to redesign silicon in order to fix these flaws. There's not much you can do here. However, with open-source software called Thunderspy, developed by Ruytenberg and their team, you can check if you're affected by the Thunderbolt bug.
Remember, it requires physical access (Score:5, Informative)
It's not a remote exploit.
Re: (Score:2)
Previously I would have said that that once an attacker has physical access that it's game over. That's still mostly true for me, but only if the machine is powered on.
Remember that physical access is easy. (Score:3, Interesting)
Every office I ever went to, had all the ports exposed at the backside of the PC on/under the table I sat at.
And ever, doctor first let me sit in that room, alone, for quite some time, between me being brought in from the waiting room, and him entered.
During Windows 98 SP2 times, it was as trivial to infect their network, as sticking in a USB drive with a autorun.inf on it, or whatever it was called, waiting three seconds, and pulling it back out.
Re: (Score:2)
It still is possible if they actually allow you to plug a USB device in.
Re: (Score:2)
So, a glob of glue in the Thunderbolt port (if you don't use it), counts as a patch?
Re: Remember, it requires physical access (Score:2)
Re: (Score:2)
Only if you don't want to charge your machine. When Apple removed the MagSafe connector in favor of USB-C, it became impossible to secure current-generation Macs against this attack. I'm assuming the same is true for all other manufacturers that run Thunderbolt over USB-C.
Re: (Score:1)
Requires opening up the laptop too (Score:4, Informative)
You have to physically open the computer up and reflash the thunderbolt controller. Given that I wonder why they say it can bypass disk encryption
Re: (Score:3)
But this whole thing is pretty weak sauce.
The only "issues" I see here are that:
A) Windows will configure the IOMMU to match the SL of the thunderbolt controller (meaning if SL is 0, IOMMU is wide open)
B) There doesn't appear to be signature verification on the thunderbolt firmware... which is hardly unusual for embedded controllers in PCs.
Re: (Score:1)
Re: (Score:2)
I thought this was well and truly taken care of with the IOMMU, have they still left it completely open?
Re:Remember, it requires physical access (Score:4, Insightful)
Physical security is important. Evil maid attacks at hotels, servers in datacentre racks. Crossing a border. It's one reason why we use encrypted drives and why AMD supports encrypted RAM.
Back in the Firefire days the attacker would turn up with a device that let them not only access the hard drive but capture the entire RAM of a running machine. Thunderbolt was initially just as vulnerable but Intel introduced IOMMU to mitigate the attack, and it looks like they failed.
Re: (Score:3)
Thunderbolt was initially just as vulnerable but Intel introduced IOMMU to mitigate the attack, and it looks like they failed.
IOMMU is programmed by the operating system.
The default behavior of the drivers is to program the IOMMU to allow what it should allow, in the case of an SL0 thunderbolt controller- that's everything, and correctly so.
Now, should the drivers be a bit more fucking paranoid about weird things like thunderbolt controllers in SL0? Probably so.
Re: (Score:2)
Well, yea, the first paragraph of the article is about that it's a local hack that requires physical access.
I guess you could turn it into a remote exploit with the help of telekinesis.
Re: (Score:2)
It's not a remote exploit.
Indeed. It is a local attack and it needs the attacker to open the computer and attach a connector to the Thunderbolt firmware FLASH chip. An attacker that can do that can in a similar fashion re-flash the main BIOS and completely compromise the system on next boot.
Re: (Score:1)
Re: (Score:3)
Re: (Score:1)
Yeah, and five minutes is a long time. Pretty sure the previous one just took a few seconds, and was never really fixed either ;)
Re: From https://thunderspy.io/ (Score:2)
Arguably yes, because in order to install the software you need to copy it to your machine. If you're making a copy of someone else's work, you need a license.
In reality the GPL is almost completely untested in court, so there's no way to know for sure.
Re: From https://thunderspy.io/ (Score:1)
The TiVoization lawsuits and EFF in general beg to differ.
17 USC 117 (Score:2)
in order to install the software you need to copy it to your machine.
Whether this infringes copyright depends on the country. In the United States, making a copy "as an essential step" to running a computer program is not infringement. Title 17, U.S. Code, section 117(a)(1) [cornell.edu].
Re: (Score:2)
No, because the GPLv3 specifically says:
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance.
Whoever gave you the software made the copy, and needed to accept the terms of the license to do so—not the recipient or user of the software.
Arguably this applies to software (and other media) in general, not just works licensed under GPLv3. It's too late to impose terms after the work is already on the user's PC. They have no need for a licence at that point since they aren't making copies of the work, just making use of the copy they already possess.
Re: From https://thunderspy.io/ (Score:1)
The GPL requires that every user gets a copy of the source code. No exceptions. (Usually, you get a link, but it is implied anyway.)
And getting the source code implies you agreed to the GPL.
Otherwise somebody could redistribute the software without the source, making it not open source but agnostic source, like with the BSD license, leading to wide-spread abuse by the organized crime (i.p. Mafia) abusing and leeching on creators, as always. ;)
But talk about opening a can of worms by saying that around here.
Re: (Score:2)
The GPL requires that any user can obtain a copy of the source code, if necessary by you posting it through snail mail. There's no requirement for them to ask for or take it unless they try distributing the software and are asked to make source available to their user.
Re: (Score:3)
And getting the source code implies you agreed to the GPL.
No.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
Any agree button in an installer should be read as "I agree that I don't need to agree as per section 9".
Re:From https://thunderspy.io/ (Score:4, Informative)
Legally speaking, is it actually necessary to require the user to accept the GPLv3 license to install & use GPL software?
No, it is not needed: GPL is not an EULA. The end user does not have to accept the GPL license to install or run the software. Only those who want to distribute the software need to accept the license.
Or is this click-thru licensing there simply because emulating commercial software installers seemed like the correct thing to do?
Yes.
Re: (Score:2)
"Some software packaging systems have a place which requires you to click through or otherwise indicate assent to the terms of the GPL. This is neither required nor forbidden. With or without a click through, the GPL's rules remain the same.
Merely agreeing to the GPL doesn't place any obligations on you. You are not required to agree to anything to merely use software which is licensed under the GPL. You only have obligations if you modify or distribute the software. If it really bothers you to click throug
Mac Data RECOVERY by independent repair? (Score:5, Interesting)
Could this be made into a tool and used for Mac Data recovery for independent repair shops? :)
Re: (Score:3)
Recent Macs have the T2 chip that encrypts data on the internal built-in drive, so I don't think it would work for most people who need to recover data.
This exploit can be easily defeated (Score:2)
if you replace your back plate screws with something more proprietary than a phillips head screw. Or maybe a plate alarm which would go off if someone tried to open up your computer.
Maybe someone could kickstart a back plate lock set that covers the screws.
If I was at a coffee shop and went to the bathroom, and someone took apart my laptop, and plugged things into it, I would hope someone would notice.
Re:This exploit can be easily defeated (Score:4, Funny)
If you're not planning on using the port it could be filled with epoxy.
Re:This exploit can be easily defeated (Score:4, Insightful)
Of course, on some laptops the only charging ports are thunderbolt ports. So you have to leave the port available or your laptop won't be able to recharge.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If you're not planning on using the port it could be filled with epoxy.
It is not about the external port. This attack needs the attacker to open the computer.
Re: (Score:3)
If you're not planning on using the port it could be filled with epoxy.
if I needed the port, I would put a glob of epoxy on the Thunderbolt chip pins on both side of the board.
Re:This exploit can be easily defeated (Score:4, Informative)
if you go to the bathroom and leave your laptop in a coffee shop, you're a naive dumb-ass and shouldn't be surprised if someone runs out the front door with it.
Re: This exploit can be easily defeated (Score:3)
Maybe try moving to a place where people aren't all criminals. There are plenty of places like this, though admittedly they are not areas heavily laden with coffee shops.
Re: This exploit can be easily defeated (Score:2)
Re: (Score:2)
Wow, talking about completely missing the point. You don't avoid high crime areas so that you can be careless.
Re: (Score:2)
I'd like to hear about these magical places with low crime and coffee shops. Of course I'm then going to tell you the actual crime rate and burst your bubble....
Re: This exploit can be easily defeated (Score:2)
I do this in my local pub. You have to turn up early to get a table* for the pub quiz so I go straight after work, eat a sandwich I bought in the supermarket**, buy a drink and do a bit more work.
I've never even asked someone else to keep an eye on it. It's one of the few places I'd do it though, but they definitely do exist.
* It's very small and the quiz is very popular.
** They don't serve food so they're happy for people to turn up with their own food, takeaway, etc.
Re: (Score:2)
Re: (Score:2)
Maybe try moving to a place where people aren't all criminals. There are plenty of places like this, though admittedly they are not areas heavily laden with coffee shops.
In many places you would be statistically fine leaving your laptop unattended for a few minutes. You would still be very foolish to do so.
Re: (Score:1)
Or a suspicious / malicious life partner / work colleague ?
Re: (Score:1)
The motherboard, Touch ID and SSD is toast, the only thing to save would be perhaps the display but they are about ~$100 on eBay, not really profitable given the risk.
Re: (Score:2)
Try getting sales execs to practice proper security with their laptops, like not leaving them in the hotel room while they go out on a bender with the client.
Re: (Score:2)
if you replace your back plate screws with something more proprietary than a phillips head screw.
Wait, are you one of the engineers still putting "security screws" in products, oblivious to the fact that you can get the security bits from Amazon, Ebay, Harbor Freight, the local flea market, etc for next to nothing? They are more of an annoyance than anything else and someone going to the trouble of trying this exploit out in the wild is probably carry a kit with them just in case. Hell, the screwdriver used in the demo is part of a kit you can get on Amazon for about $18 and comes with just about ever
Re: (Score:2)
My mid-2010 Mac mini has a thunderbolt port.
Re: (Score:2)
I've not run it, but I'm guessing that it asks "Do you have thunderbolt?" and, if you say "yes", it tells you that you are affected.
Re: Why do we need to check? (Score:1)
Check the date with NTP? :D
And check if you actually got (working) TB?
Re: Why do we need to check? (Score:1)
And you thought I was just poor... (Score:1)
Now who's the idiot with the attackable PC?
So long, suckers!
Charter? (Score:2)
Physical access is full access (Score:2)
Re: (Score:3)
In SL1+, IOMMU is programmed to be restrictive. Bus is useless for attacking.
This "bug/exploit" involves patching the firmware of the Thunderbolt controller by opening up the laptop so that it reports itself as an SL0 device, which the drivers then open the IOMMU up for (since that's basically what an SL0 device is for)
Macs are not as affected for some reason? (Score:3)
I was wondering why there was no Mac checker, reading the page as to why Apple has not fixed Thunderspy issues they say this:
In our vulnerability disclosure procedure, Apple has stated the following:
"Some of the hardware security features you outlined are only available when users run macOS. If users are concerned about any of the issues in your paper, we recommend that they use macOS."
For the section on systems being affected, for MacOS they say:
If you are running MacOS, your system is partially affected by Thunderspy. For recommendations on how to help protect your system, please refer to protections against Thunderspy.
So for some reason when running OSX there are extra security measures in place, but it doesn't say what that means for the exploit. It seems like maybe the Mac encrypted drives cannot be bypassed as they say they can do for other systems?
Re:Macs are not as affected for some reason? (Score:5, Informative)
These issues have been known since FireWire had DMA as well. ThunderBolt is basically a PCIe bus, what you can do and what macOS does is enclave each of the devices using VT-d and IOMMU.
Windows has something similar in later versions of Windows 10 with compatible hardware and drivers: https://docs.microsoft.com/en-... [microsoft.com]
Re: (Score:2)
Yes, and I'd further note that ThunderBolt endpoints don't even need to be enabled when hot-plugged. Changes in configuration strategy, although they may be significant, could largely mitigate or even eliminate these threats.
Also, as an interesting historical aside, I'll mention that Windows NT, which forms the basis for modern Windows, has had IOMMU support from day one. Why? Because NT grew out of DEC's effort to replace VMS which used IOMMU. This all existed before Macs even had preemptive multitaski
Re: Macs are not as affected for some reason? (Score:1)
Re: (Score:2)
Oh look, SuperKendall finds something he can exploit to promote Apple products. What a surprise!
So SuperKendall, did you find the answer to "why there was no Mac checker"? Did you notice that Apple did NOT say that it had "fixed" these issues?
What makes you say that "it seems like maybe the Mac encrypted drives cannot be bypassed as they say they can do for other systems"? The same kind of evidence that makes you claim that humans naturally have a partial immunity to SARS-CoV-2? Wishful thinking? Tribal
Re: (Score:2)
Basically the firmware setup for booting macOS enables a number of Thunderbolt mitigations, and for BootCamp, they just disable them all (is what I read in their paper). For a modern Windows laptop, they generally are enabled by default (because Windows does support them) but can be disabled (for example some older Windows or older Thunderbolt devices aren't compatible with the mitigations).
A bit overhyped... (Score:5, Insightful)
Upon reading the paper, I think they have more hype than substance here. At least in terms of *newly* known things.
The short of it is, they can defeat mechanisms intended to enable users/software to make informed decisions about whether to allow PCIe to a Thunderbolt device. They can mimic a 'trusted' Thunderbolt device (so the user would have already have had to assent to using a device and then they can swap in their spoof of the device to have an evil device with DMA access). They can also make a 'trusted' host controller run arbitrary firmware if they can rip out the flash chip from the motherboard and reprogram it.
Once you have PCIe devices, you can do generically controversial PCIe things. The key is that Thunderbolt recognized that as controversial and made mechanisms to give user control over whether an external device gets to be a PCIe device. The novelty in this work is they can bypass those protections to get equivalent to internal PCIe device access. The problem is that the bypass portions requires you to get internal, at which point you could just attack some internal PCIe connection.
They also point out that once a user trusts a Thunderbolt device, they can imitate that Thunderbolt device if they can swipe the device and mess with it, similar to them stealing a drive or PCIe device out of a system and then putting it back later modified.
What they don't have is a scenario where an evil maid walks up with a magic dongle and downloads all the memory and/or disk contents within 5 minutes.
Re: (Score:1)
A Thunderbolt port is just a giant hole plug-and-play internal expansion. Really neat for devices you keep in locked rooms, but kind of an issue in laptops.
Easily accomplished with a boot disk/stick (Score:1)
Re: (Score:2)
This bypasses that. If you access the SPI port of the FLASH chips that contain the BIOS, you can bypass a BIOS lock without even trying.
Re: (Score:2)
As though that were easily done.
Re: (Score:1)
Flashing an SPI FLASH chip? If you have trouble doing that, you have no place in this discussion. There is no "BIOS lock" on the chip itself.
Windows? (Score:2)
Literally dozens are affected.
No Shit (Score:3)
This shouldn't be a surprise or revelation to anyone. It's a natural consequence of DMA. The whole point is to access system memory without having to go through the cpu and reduce overhead.
This isn't a flaw in the system, its an explicit and intentional feature. DMA support allows Thunderbolt to act as external PCIe. Without it eGPU and other accessories wouldn't be possible.
The "patch" is the same as for any where the attacker can physically access the machine, don't let them do it. If they can lay hands on the device you have already lost. that's rule #1 of security. If you can't guarantee physical security 100% of the time then you can mitigate the issue somewhat by disabling unused ports and using third party DLP software to intervene when unauthorized devices are connected and to alert you/IT.
Re: (Score:2)
The crux of their paper does not seem to be that PCIe is possible, it is that they can bypass mechanisms intended to have the operator of the computer manage whether or not a particular device is allowed to be PCIe.
If you plug in a PCIe attached GPU or NVMe or whatever, the subsystem causes user to be prompted "hey... there's this new device, is it cool to use it/allow it to do PCIe things" and the user should be able to say 'no', or even configure the device to never ever allow PCIe, but work fine for USB-
Re: (Score:2)
The crux of their paper does not seem to be that PCIe is possible, it is that they can bypass mechanisms intended to have the operator of the computer manage whether or not a particular device is allowed to be PCIe.
Existing best practices is to assume that if the attacker has physical access then they have won. Yes you can mitigate that risk but the goal should be to prevent them from getting to the machine in the first place. Supposed authentication on external ports is not a replacement for this mindset.
The crux of their paper does not seem to be that PCIe is possible, it is that they can bypass mechanisms intended to have the operator of the computer manage whether or not a particular device is allowed to be PCIe.
On modern systems, PCIe is used as the primary interconnect between the various different components except for CPU to memory and CPU to Chipset. But your USB, SATA etc is ultimately running on PCIe, even if the soft
Re: (Score:2)
"Disabling" PCIe on Thunderbolt is a misnomer as Thunderbolt is PCIe.
Well, 'ThunderBolt' may be, but there are 3 different data protocols supported on the cable side:
-PCIe
-DisplayPort
-USB
So disabling PCIe over thunderbolt is really still allowing Displayport/USB over the connector. Of course at that point it is functionally 'just' USB-C so I suppose that is basically disabling Thunderbolt...
The problem comes in that they decided 'Disable Thunderbolt' means disabling all the data over the ports. So you don't downgrade a Thunderbolt to a normal USB-C, you would downgrade a Thu
Misleading horseshit (Score:2)
Re: (Score:2)
Nope. If somebody manipulates your hardware, any system is vulnerable. Well, not a real HSM, because those brick themselves reliably when physically attacked.
Something doesn't add up (Score:2)
So in one spot, this dude says "all Thunderbolt versions and systems shipped between 2011 to 2020 are affected and no software patch can fix these vulnerabilities".
Then in another spot he says "If you are running MacOS, your system is partially affected by Thunderspy". How can it only be "partially" affected if all Thunderbolt versions and systems are affected and there's no software patch possible?
Also Apple responded to him "Some of the hardware security features you outlined are only available when users
Re: (Score:2)
In his wording, "affected" includes "partially affected". Boot Camp "undoes this", because the Apple disables all security under BootCamp.
No Thunderbolt security on Boot Camp. Apple supports running Windows on Mac systems using the Boot Camp utility [2]. When [doing so], Mac UEFI disables all Thunderbolt security by employing the Security Level “None” (SL0). As such, this vulnerability subjects the Mac system to trivial Thunderbolt-based DMA attacks.
However, on MacOS itself: Regarding Thunde
Reminds me of Firewire (Score:2)
Yes. If you get to the SPI port of the firmware... (Score:2)
If you can do that, you can also get to the SPI port of the system BIOS Flash and then you can write a new BIOS and can do anything. This is a completely ridiculous non-story, and serves only to make a media-splash.
If somebody has physical access for five minutes (Score:2)
Then they can just steal the machine and have physical access to it for as long as they need, in a location of their choice. This seems far more likely than some action-movie scenario where they rush in, mess with the computer, put it back together and leave undetected while you go to the bathroom.
How is this different from the Microsoft Warning? (Score:2)
https://www.theverge.com/2020/... [theverge.com]
Rather Misleading Paper (Score:1)
I read through the paper... and there really is very little in the way of substance here. I think Intel is justified in not issuing CVEs for any of this. He starts with the assumption that DMA attacks are possible. For new designs that is not the case since the addition of IOMMU support in WIndows 10 1803/RS4. All the new Ice Lake laptops have IOMMU enabled for their Thunderbolt controllers, which eliminates the need for using ACLs for security. On new Ice Lake laptops you plug the Thunderbolt device in and