ThunderSpy: Intel Fucks Up Closed Source HW Again
grarpamp
grarpamp at gmail.com
Mon May 11 17:01:55 PDT 2020
https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf
https://github.com/BjornRuytenberg/spycheck-linux
Thunderspy targets devices with a Thunderbolt port... an attacker who
gets brief physical access to it can read and copy all your data, even
if your drive is encrypted and your computer is locked or set to
sleep.
Thunderbolt devices possess DMA-enabled I/O. In an evil maid DMA
attack Thunderbolt has been shown to be a viable entry point in
stealing data from encrypted drives and reading and writing all of
system memory. In response, Intel introduced Security Levels.
We present Thunderspy, a series of attacks that break all primary
security claims for Thunderbolt 1, 2, and 3.
Inadequate firmware verification schemes
Weak device authentication scheme
Use of unauthenticated device metadata
Downgrade attack using backwards compatibility
Use of unauthenticated controller configurations
SPI flash interface deficiencies
No Thunderbolt security on Boot Camp
These vulnerabilities lead to nine practical exploitation scenarios.
Cloning user-authorized device identities to arbitrary attacker devices
Permanently disabling Thunderbolt security and future firmware updates
All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable.
The Thunderspy vulnerabilities cannot be fixed in software
Avoid leaving your system unattended while powered on, even when screenlocked.
Disable the Thunderbolt controller entirely in UEFI (BIOS).
Stay tuned for Thunderspy 2: Judgment Day.
Intel has stated they had been already aware of Thunderspy variants...
Intel has not shared why they have chosen not to inform the general
public.
The author of Thunderspy would like to thank prof. dr. Tanja Lange and
Jacob Appelbaum for supervising his MSc thesis, of which this work is
part, at Eindhoven University of Technology, the Netherlands.
Oops!... ClosedHW did it again!
https://www.youtube.com/watch?v=oIkRKc8wX24
More information about the cypherpunks
mailing list