Seven New Thunderbolt Security Flaws Have Been Found, But Macs Running macOS 10.12.4 And Later Are Not Affected

As many as seven security flaws have been discovered that affect computers that use Thunderbolt ports. Machines built from 2011 through 2020 are potentially at risk, including modern Macs.

Security researcher Björn Ruytenberg found the vulnerabilities that can potentially expose data even when a computer is locked and its storage encrypted.

Even worse, there’s no way to know whether a machine has been compromised and accessed thanks to this issue.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

All of that means that there are as many as nine different potential scenarios that could lead to data being collected.

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

However, it appears that Intel and its partners were already aware of the vulnerabilities, even patching them in versions of Windows 10, macOS, and Linux. According to Intel, the research carried out and reported on today does not show a machine being compromised when this mitigation is in place.

In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated.

Ultimately, this leads us to the same response we always have with these kinds of things. Make sure that you’re running the latest version of macOS, Windows 10, or Linux that is available for your particular setup and if it doesn’t meet the level outlined by Intel, consider upgrading.

You may also like to check out:

You can follow us on Twitter, or Instagram, and even like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple, and the Web.