Recently, a security expert from Eindhoven University of Technology demonstrated that a new method to attack Windows or Linux computers that support the Thunderbolt port can make anyone hack into a device in less than five minutes. Yeah, just five minutes!
A new technique called Thunderspy makes it possible to bypass the authorization or lock screen and even encrypt the hard drive of locked or enabled computers, change the security settings and then access the data on the device. Read more here 24×7 Outsource Support.
The author of this method, Bjorn Rüjtenberg, explained Although in most cases it will be necessary to open the PC case to exploit the vulnerability, the attack leaves no trace and only takes a few minutes.
The new method leads to a kind of attack known as bad maid, where an attacker with physical access to a PC can easily bypass local authentication.
According to the author of this method, Björn Rüjtenberg, the only way to protect oneself against a spy attack by thunder is to make the harbour of Thunder Lightning disappear.
Thunder Espionage in action
Following the notification of the Thunderclap attack, which used devices, a manufacturer of giant chips, to steal information directly from the operating system memory, Intel kernel introduced DMA protection, a security mechanism that blocks connected Thunderbolt 3 devices and prevents them from accessing direct memory (DMA) until they have performed a number of procedures.
In addition to all this, you will find a brief and clear statement from the author of this method, Björn Rüjtenberg : The thunder spy is very complex and you won’t find any trace of this attack.
Because it does not even require your participation, such as other cyber threats such as phishing links or malware attacks.
Even if you follow best security practices by temporarily locking your computer, or if your system administrator has configured the device with secure boot, strong BIOS account and operating system passwords, and full disk encryption enabled, Thunderspy will not affect these security mechanisms.
All an attacker needs is 5 minutes alone with a computer or laptop, a screwdriver and portable equipment.
So far, security experts have discovered the following vulnerabilities, which we have listed below:-
- Inadequate firmware inspection programs.
- Low authentication scheme for devices.
- Use of metadata from unauthorized devices.
- Low-level attack using backward compatibility.
- Use of non-authenticated controller configurations.
- Inadequacy of the SPI Flash interface.
- Thunder Bolt’s guards aren’t in the camp.
Thunderbolt controllers can operate in two modes, host mode or endpoint mode.
Thunderbolt controllers are connected to the system via a blank PCIe interface in host mode, allowing PCH to open the PCIe x4 connection to the Thunderbolt 3 controller, as shown in the figure below.
The Thunderbolt 3 is typical silicon that can switch dynamically from one mode to another, as shown below :-.
- USB Spider mode.
- Mixed mode USB/DisplayPort.
- Lightning and thunder in domestic circles.
coverage is available since 2019, but almost no one covers.
But, wait, the main problem here is something else: This feature certainly helps to prevent the Thunderspy attack, but the problem is that this mechanism is not available on PCs released before 2019. Moreover, many Thunderbolt devices produced before 2019 do not support this technology.
Security experts have already examined several Dell, HP and Lenovo PC models and determined that the Dell PC does not have Direct Kernel Memory Access (DMA) protection even on devices released after 2019.
In the case of HP and Lenovo, only a few models use this technology; however, this vulnerability does not affect Apple computers.
According to HP, most HP Commercial PC Mobile Workstations that support Sure Start Gen5 and higher are protected against Thunderspy bugs.
In addition, Mr. Lenovo said that we are currently investigating the situation because Thunderbolt is a peripheral connection technology developed by Intel in conjunction with Apple that allows data, video, audio and chargers to be transferred through a single port.
If you are unfamiliar with HP Sure Start, I would also like to point out that it is a security mechanism developed by HP to protect your computer’s BIOS from multiple cyber attacks or damage.
It is responsible for BIOS security and includes a dynamic security function that monitors the BIOS not only when the device status changes, but also at regular intervals throughout the day.
So, what do you think? Just share your opinion and thoughts in the Responses section below.
You can follow us on Linkedin, Twitter, Facebook to get daily news about cybersecurity and hackers.