Recently a researcher posted a proof of concept that showed him accessing the contents of a locked laptop in just a few minutes. The crux of the flaw comes from Thunderbolt. But while he did gain access to the laptop, he needed physical access, a screwdriver, and off-the-shelf parts.
Updated, 5/11: Intel says this attack won’t work on computers with Kernal DMA protection enabled. An Intel Spokesperson tells us, “This attack could not be successfully demonstrated on systems with Kernel DMA protection enabled. As always, we encourage everyone to follow good security practices, including preventing unauthorized physical access to computers.” The company also posted a response to the research in a blog post.
Dubbed Thunderspy, the attack takes advantage of the fact that Thunderbolt is a direct memory access port. Like, PCI-Express and Firewire, Thunderbolt ports access system memory directly outside the CPU, which allows for high-transfer rates. But that’s also what makes them vulnerable to direct memory attacks.
As seen in security researcher Björn Ruytenberg’s demonstration video, by taking advantage of Thunderbolt’s access to the system memory, a hacker can get to your data even when the laptop is locked, and the hard drive is encrypted.
The attack isn’t simple, though, the hacker would need to be well-prepared and need access to your laptop. The hack involves taking the backplate (the bottom) off a laptop and connecting a device to the motherboard to reprogram the firmware.
Although Ruytenberg contends that’s a process he can accomplish in minutes, that assumes familiarity with the laptop and what’s needed to remove the backplate (if that’s possible at all). It’s unlikely your unattended laptop would fall victim to this attack at a Starbucks, but your stolen laptop is a different story.
According to Ruytenberg, the flaw isn’t a software issue, and can’t be patched out. Instead, a chip redesign is necessary. Other researchers seem to disagree, at least in part and contend that Windows 10’s new kernel-level protection should at least partially mitigate the issue. And if you’re on macOS, you are partially protected as well.
Rutenberg did go on to say that another vector for the attack can bypass the need to disassemble the device partially. But in that case, the hacker would need access to a thunderbolt device previously connected to the laptop.
It’s worth mentioning that Thunderbolt’s potential security vulnerabilities are one reason why Microsoft won’t include the port on Surface devices. For now, if you’re worried if this flaw affects your device, you can check at the ThunderSpy website Ruytenberg created.