By John P. Mello Jr.

May 12, 2020 10:32 AM PT

A Dutch researcher on Sunday revealed a novel way to crack into a personal computer through a Thunderbolt port.

The method, dubbed “Thunderspy” by researcher Björn Ruytenberg of Eindhoven University of Technology in the Netherlands, sidesteps the login screen of a sleeping computer, as well as its hard disk encryption, to access all its data.

“Thunderspy is stealth, meaning that you cannot find any traces of the attack,” Ruytenberg wrote in a post on the
Thunderspy website. “It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using.”

The attack method works even if best security practices are followed by locking or suspending a computer when leaving briefly, and if a system administrator has set up a device with Secure Boot, strong BIOS and operating system account passwords, as well as enabling full disk encryption, he pointed out. “All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.”

‘Evil Maid’ Attack

In security parlance, Thunderspy is used to launch an “Evil Maid” attack. Such attacks require that an adversary have physical access to a device.

In the case of Thunderspy, an attacker who has access to a machine can create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and obtain PCIe connectivity to perform Direct Memory Access attacks.

An attacker also can perform unauthenticated overrides of security level configurations, including the ability to disable Thunderbolt security entirely and block all future firmware updates.

If Thunderbolt connectivity is turned off, Thunderspy can be used to turn it back on without a user’s knowledge.

All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable, Ruytenberg wrote — and some systems providing kernel DMA protection, shipping since 2019, are partially vulnerable.

“Computers running macOS are not vulnerable to the most concerning of the attacks — the Direct Memory Access or ‘DMA’ that expose all data in memory — because of the macOS kernel’s Input/Output Memory Management Unit,” said Chris Clements, vice president of solutions architecture at
Cerberus Sentinel, a cybersecurity consulting and penetration testing company located in Scottsdale, Arizona.

However, any Apple computers that have been reconfigured purposefully to boot directly to other operating systems, such as Microsoft Windows or Linux, are vulnerable to Thunderspy, he told TechNewsWorld.

“Any Windows or Linux virtual machines running on top of macOS with hypervisor software, such as Parallels or VMWare Fusion, would not be exposed to the vulnerability unless Thunderbolt peripherals are connected directly to the virtual machines themselves,” Clements said.

Thunderspy vulnerabilities cannot be fixed in software. They will impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign, Ruytenberg noted.

Users should download and run a free, open source program he developed, called “Spycheck,” to find out if a system is vulnerable to Thunderspy, he advised.

If a system is vulnerable, the software, which is available at the Thunderspy website, can guide users on how to protect their systems from the Evil Maid attack.

‘Movie-Level Attacks’

“Thunderspy makes ‘movie-level attacks’ possible,” observed Aviram Jenik, CEO of
Beyond Security, a developer of automated security testing technologies located in Cupertino, California.

“Remember those scenes where the hacker plugs in a tiny device into a computer port and in a couple of seconds gains full access to the machine? This is now possible,” he told TechNewsWorld.

To exploit Thunderspy, Jenik explained, he would need just a few seconds of physical access to a computer and a small device to install malware that would give him remote access to a target’s computer; do a data dump of its contents, including credentials for accounts; and install a Trojan programmed to ask for further instructions later.

Thunderspy also can be used to impersonate accounts, said Alex Useche, a senior consultant with
nVisium, a Falls Church, Virginia-based application security provider.

Users often don’t log out of programs or systems. Once logged in, their accounts remain live.

“Outlook rarely require users to re-enter their credentials,” Useche told TechNewsWorld.
“The impact is much more significant if your laptop logs in to the internal network automatically without requiring additional authentication. Then the attackers have access to your company’s data.”

Sensational but Unlikely

Most consumers shouldn’t be too concerned about Thunderspy, maintained Keith McCammon, chief security officer of
Red Canary, a cloud-based security services provider located in Denver.

“Consumers have no more reason to fear Thunderspy or other Evil Maid attacks now than they did last month, or last year,” he told TechNewsWorld. “The Evil Maid scenario is a very real concern for a very small percentage of individuals who handle data of extraordinary value or sensitivity. For everyone else, it is sensational but highly unlikely.”

Still, some consumers might feel a little less secure when they take their laptops on the road, Useche said.

“Consumers who misplace and lose their laptops at a public place may often find comfort in the fact that their laptops are at least secured by a password,” he noted. “Thunderspy throws that protection out the window. This is especially true in cases where the only password needed to access a user’s files is the Windows password.”

Super Glue Solution

International travelers may feel a little less secure, too.

“If employees are frequently on the road, they are constantly handing their phones and laptops over to border agents,” observed Hank Schless, senior manager for security solutions at
Lookout, a San Francisco-based provider of mobile phishing solutions.

“Sometimes those devices are taken out of sight by an agent and returned in what seems like the same state, but in the case of a mobile phone or tablet it could have easily been jailbroken and had spyware loaded on without the user’s knowledge,” he told TechNewsWorld.

Consumers worried about Thunderspy should disable all ports that aren’t used, Jenik recommended.

“If you do not use Thunderbolt, give serious consideration to blocking it physically by using Super Glue,” he suggested.

Enterprises need to be concerned about Thunderspy, Jenik continued.

“The Enterprise often assumes that the end user does not have full control over the desktop,” he said.

“For example, many enterprises control what can be copied to a USB drive to avoid confidential data leakage, or enforce certain policies by not allowing the user to be the administrator on the machine he is using,” Jenik noted.

“This attack allows someone with physical access to have full control over a machine,” he said, “which means any enterprise user can now gain full access and circumvent any policy rules they wish to circumvent.”


John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.



Source link

13 COMMENTS

  1. Pleased to satisfy you! My identify is Loreta. I am seriously fond of carrying out interior style but I don’t have the time recently. California is in which my property is and I don’t system on shifting it. My working day occupation is an workplace clerk and it’s anything I genuinely take pleasure in.

  2. Cbd oil that works 2020
    hey there and thank you for your information – I have certainly picked up something new from right here.
    I did however expertise several technical points using this site, since I experienced to
    reload the website a lot of times previous to I could get it to load properly.

    I had been wondering if your hosting is OK? Not that I am complaining, but sluggish loading instances times will sometimes affect
    your placement in google and could damage your quality score if advertising
    and marketing with Adwords. Well I’m adding this RSS to my email
    and could look out for a lot more of your respective exciting content.

    Ensure that you update this again soon. best rated cbd oil http://t.co/4kPhN7Ek0L cbd oil that works 2020 http://t.co/4kPhN7Ek0L

  3. To estimate somebodies habit you might ask some concerns observed below. This kind of services assists bettors decide regarding putting of wagers. A draw no wager is the exact same as an AH of +0.

  4. Great blog! Do you have any suggestions for aspiring writers? I’m hoping to start my own blog soon but I’m a little lost on everything. Would you suggest starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m completely confused .. Any suggestions? Many thanks!| а

  5. An intriguing discussion is worth comment. I think that you ought to publish more about this subject matter, it might not be a taboo matter but typically folks don’t discuss these topics. To the next! Kind regards!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here