Specialist from Eindhoven University of Technology in the Netherlands demonstrated a new attack method on a Windows or Linux PC with support for the Thunderbolt port. Thunderbolt PCs can be hacked in Less than five minutes.
With the help of a new technique named Thunderspy, it is possible to bypass the authorization screen (and even hard disk encryption) on computers that are locked or in sleep mode, change security settings and access data on the device.Although in most cases it will be necessary to open the PC case to exploit the vulnerability, the attack leaves no traces and takes only a few minutes”, — explained the author of the method — Björn Ruytenberg.
The new method refers to the type of attacks known as “evil maid”, in which an attacker that has physical access to a PC can bypass local authentication.
According to Ruitenberg, so far the only way to protect users from a Thunderspy attack is to disable the Thunderbolt port.
Following the release of a report on a Thunderclap attack, when hackers steal information directly from the OS’s memory using peripherals, Intel introduced the Kernel DMA Protection security mechanism, which blocks connected Thunderbolt 3 devices and prevents them from accessing Direct Memory Access until they are a specific set of procedures has been completed.
This feature prevents the Thunderspy attack, but the problem is that this mechanism is not available on PCs released before 2019. Moreover, many Thunderbolt peripherals manufactured before 2019 do not support this technology”, — writes Björn Ruytenberg.
Specialists examined several models of Dell, HP, and Lenovo PCs and found that the Dell PC does not have the Kernel DMA Protection feature (including devices released after 2019), while in the case of HP and Lenovo only a few models use the technology. The vulnerability does not affect computers based on Apple macOS.
According to HP, “most commercial HP mobile workstations with Sure Start Gen5 and higher support” have Thunderspy attack protection. Lenovo said they were studying the situation.
Reference:
- Thunderbolt is a peripheral connectivity technology developed by Intel in conjunction with Apple that enables the transfer of data, video, audio, and electricity through a single port.
- HP Sure Start is technology developed by HP (Hewlett-Packard) to protect the computer’s BIOS. It is responsible for BIOS security and includes the Dynamic Protection function, which checks the BIOS not only when the device status changes, but also during the day at regular intervals.
Let me remind you that we also wrote that researchers from the Masaryk University in Brno (Czech Republic) discovered a ECDSA Key Recovery Method. They published a PoC code and details of several vulnerabilities in various implementations of the ECDSA/EdDSA digital signature generation algorithm.