Skip to main content

Scary Thunderbolt flaws leave millions of PCs vulnerable: What to do

Scary Thunderbolt flaw leaves millions of PCs vulnerable: What to do
(Image credit: Getty Images)

Seven Thunderbolt flaws that let attackers with physical access to a device steal encrypted data have been discovered by a Dutch security researcher, who said he was able to enter a locked PC using a couple of portable tools in just five minutes.

The researcher, Björn Ruytenberg, used “easily portable hardware," a screwdriver and custom code to enter a password-protected laptop through the Thunderbolt port. Ruytenberg demonstrated the discovery in a video, showing how the vulnerability can facilitate a five-minute attack.

In the video, Ruytenberg screwed off the backplate of a 2019 Lenovo P1, then used a spy programmer called Bus Pirate to interface with the SPI flash that stores the laptop's Thunderbolt controller firmware. 

After attaching the Bus Pirate to the "attacker" laptop, Ruytenberg used a tool called Flashrom to pull the Thunderbolt firmware from the SPI flash.

With firmware editing access, Ruytenberg disabled the Thunderbolt's security, then removed the Bus Pirate from the victim laptop. The researched attached a different hacking device via Thunderbolt, which loaded a kernel module into the memory of the laptop. 

In minutes, Ruytenberg bypassed the Windows lock screen, completing the attack.

While this method of forced entry has a number of prerequisites, it's a textbook "evil maid" attack in which an unauthorized person, such as a hotel staffer, could hack your devices while you're out of your hotel room. 

You don't want to leave your laptop unattended in a hotel in a hostile country, but such an attack could also occur in a library or cafe where you might walk away from your computer to use a restroom.

Is my PC or Mac affected by Thunderspy?

Only devices with Thunderbolt connectivity are vulnerable to these attacks. Almost all Macs since 2011 do have Thunderbolt, although the Thunderspy flaws are mostly defanged by Apple software precautions. 

Many other PCs also have Thunderbolt capabilities. You'll want to physically check your PC's ports to see if Thunderbolt is built in. Thunderbolt ports look like regular USB-C or MiniDisplay ports, except they've got a little lighting bolt printed next to the port instead or or alongside the regular USB or display symbols. 

If you don't have any Thunderbolt-capable ports, then you don't need to worry. If you do, the Thunderspy flaws are mostly fixed by some recent Intel hardware modifications, but only a few PCs will have those. 

ZDNet listed those models as "HP EliteBook and ZBook 2019 and later, Lenovo ThinkPad P53 and X1 Carbon 2019 and later, and the Lenovo Yoga C940, if it shipped with Intel's Ice Lake CPU."

Those PCs, all of which shipped in 2019 and 2020, are nearly immune to the Thunderspy attacks because of a Windows feature called Kernel DMA Protection. Here's how to check to see if your machine has Kernel DMA Protection

Linux also has implemented Kernel DMA Protection at the operating-system level, but it only applies to certain machines.

Macs, as mentioned earlier, are mostly impervious to the Thunderspy attacks because of mitigations in macOS. But Macs running Windows or Linux via Boot Camp are completely unprotected.

Ruytenberg has also built a couple of Thunderspy-checking software tools for Windows and Linux that you can run to see whether your machine is affected.

Thunderspy flaws: What you can do

All Thunderbolt port attacks. including those associated with Thunderspy, require physical access, meaning the hacker must have your laptop or desktop in their hands to successfully complete the strike. 

These attacks can't be carried out remotely, meaning the best prevention method is keeping your laptop in your possession whenever you're somewhere with people you don't know.

Your laptop or desktop is safe in your home, but if you commute or travel with it, don't leave it unattended. Don't plug any device you don't own into your Thunderbolt ports, like USB-C chargers or projectors or someone else's phone that might need a charge.

Unfortunately, unless your machine has Kernel DMA Protection capability at the hardware level, there's no real fix for these flaws, Ruytenberg said, and neither will any be forthcoming.

A brief history of Thunderbolt vulnerabilities

This isn't the first instance of a Thunderbolt port enabling a security threat for PCs. Last year researchers found that all Apple laptops and desktops produced since 2011, with the exception of the 12-inch MacBook, are vulnerable to a flaw dubbed "Thunderclap."

In 2014, a researcher developed proof-of-concept malware called Thunderstrike that could leap from one Mac to another using Thunderbolt devices. That flaw was fixed with an update, but it seems the more recent Thunderclap has only been mitigated since its discovery — not entirely patched.

As was the case in Thunderclap and Thunderstrike, the best Mac antivirus software and other traditional protections won't help you against the current Thunderbolt flaw.