A researcher at Eindhoven University of Technology has discovered 7 new vulnerabilities in Intel’s Thunderbolt technology that enables attackers to access a system’s data even if it is encrypted or if the device is locked. The security flaws have been acknowledged by Intel, who has already released patches via OS updates to prevent exploitation via this flaw.
The seven vulnerabilities that were discovered included:
- Inadequate firmware verification schemes
- Weak device authentication scheme
- Use of unauthenticated device metadata
- Downgrade attack using backwards compatibility
- Use of unauthenticated controller configurations
- SPI flash interface deficiencies
- No Thunderbolt security on Boot Camp
Using these vulnerabilities to execute an evil maid Direct Memory Access (DMA) attack, the attacker could gain access to data stored on encrypted drives and memory with customized peripheral devices connected via the Thunderbolt port. Since these attacks are very stealthy, there can be nearly no evidence or traces of the attack in the system.
The main issue with these security flaws is that it can be carried out even if the system is locked, has Secure Boot enabled with strong passwords and enabled full disk encryption. Thankfully, Intel has acknowledged these vulnerabilities quickly and has instructed OS developers to implement Kernel Direct Memory Access (DMA) protection to prevent these attacks. The protections will be available from Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later).
To check out more information on Thunderspy, click here.