Thunderspy Thunderbolt Security Exploit Can Steal Your Data In Minutes, Millions Of PCs Vulnerable

thunderbolt 3 port
There's a new hardware exploit that's being brought to light courtesy of security researcher Björn Ruytenberg from the Eindhoven University of Technology. The security vulnerability affects devices equipped with Thunderbolt ports, and it's appropriately named Thunderspy.

Before we get started, we should first let you know that while this security exploit is serious, it requires actual physical access to a device to execute. However, with that access comes unprecedented control over a device, once connected to a free Thunderbolt port. In fact, a hacker could theoretically access all data on a computer in under 5 minutes. On top of that, this data can be accessed even if the PC is locked, password protected, and has SSD/HDD encryption turned on... yikes.

Security researchers call this an "evil maid attack", which earns its name from the notion that a maid could pull off a data heist on a laptop left behind in a hotel room. Further adding to the danger of Thunderspy is that the equipment needed to create a device capable of perpetrating the attack would only cost a hacker a few hundred dollars.

Thunderspy affects Thunderbolt-equipped PCs running Windows or Linux manufactured prior to 2019. Apple Macs, which have featured Thunderbolt ports since 2011, are said to be "partially affected" by Thunderspy. Unfortunately, Ruytenberg doesn't go into further detail into what that actually means. 

For its part, Intel -- the company behind Thunderbolt technology – said in a blog post that software mitigations were put in place through Kernel Direct Access (DMA) Protection in operating systems, starting in 2019. The company notes that Windows 10 1803 RS4, Linux kernel 5.x, and macOS 10.12.4 and later have these DMA protections in place.

However, Ruytenberg claims that Kernel DMA Protection doesn't provide full mitigation from attacks, and it cannot be fully patched with software. Also, he didn't find any Dell systems with full Kernel DMA Protection support, and only a handful of Lenovo and HP systems built in 2019 or later were found to be protected. Ruytenberg goes on to state that a silicon redesign would be required and that Thunderspy could threaten future connectivity standards, including USB4 and Thunderbolt 4. 

The only way to fully prevent Thunderspy attacks is to disable your Thunderbolt ports from within BIOS according to the researcher. However, to see if your current Thunderbolt-equipped system is affected, you can use Ruytenberg's Spycheck utility for Windows or Linux.

With that being said, the revelation of Thunderspy comes just days after it was revealed that Microsoft has just said "no" to Thunderbolt 3 ports on its Surface devices, because of DMA attacks just like this that could be accomplished with a "well-prepared stick".

Updated 5/11/2010 @ 7:01pm
Dell has reached out to us with this comment on its machines with respect to Thunderspy:

Dell Client Consumer and Commercial platforms that shipped starting in 2019 have Kernel DMA protection when SecureBoot is enabled. This offers protection from “Thunderspy” per Intel guidance.