• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Unfixable Flaw Found in Thunderbolt Port that Unlocks any PC in Less Than 5 Minutes

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
2,189 (0.91/day)
Dutch researcher from the Eindhoven University of Technology has found a new vulnerability in Thunderbolt port that allows attackers with physical access to unlock any PC running Windows or Linux kernel-based OS in less than 5 minutes. The researcher of the university called Björn Ruytenberg found a method which he calls Thunderspy, which can bypass the login screen of any PC. This attack requires physical access to the device, which is, of course, dangerous on its own if left with a person of knowledge. The Thunderbolt port is a fast protocol, and part of the reason why it is so fast is that it partially allows direct access to computer memory. And anything that can access memory directly is a potential vulnerability.

The Thunderspy attack relies on just that. There is a feature built into the Thunderbolt firmware called "Security Level", which disallows access to untrusted devices or even turns off Thunderbolt port altogether. This feature would make the port be a simple USB or display output. However, the researcher has found a way to alter the firmware setting of Thunderbolt control chip in a way so it allows any device to access the PC. This procedure is done without any trace and OS can not detect that there was a change. From there, the magic happens. Using an SPI (Serial Peripheral Interface) programmer with a SOP8 clip that connects the pins of the programmer device to the controller, the attacker just runs a script from there. This procedure requires around $400 worth of hardware. Intel already put some protection last year for the Thunderbolt port called Kernel Direct Memory Access Protection, but that feature isn't implemented on PCs manufactured before 2019. And even starting from 2019, not all PC manufacturers implement the feature, so there is a wide group of devices vulnerable to this unfixable attack.


You can check out the video demonstration below:

View at TechPowerUp Main Site
 
Joined
Feb 3, 2017
Messages
3,475 (1.33/day)
Processor R5 5600X
Motherboard ASUS ROG STRIX B550-I GAMING
Cooling Alpenföhn Black Ridge
Memory 2*16GB DDR4-2666 VLP @3800
Video Card(s) EVGA Geforce RTX 3080 XC3
Storage 1TB Samsung 970 Pro, 2TB Intel 660p
Display(s) ASUS PG279Q, Eizo EV2736W
Case Dan Cases A4-SFX
Power Supply Corsair SF600
Mouse Corsair Ironclaw Wireless RGB
Keyboard Corsair K60
VR HMD HTC Vive
Last edited:
Joined
Apr 19, 2018
Messages
957 (0.44/day)
Processor AMD Ryzen 9 5950X
Motherboard Asus ROG Crosshair VIII Hero WiFi
Cooling Arctic Liquid Freezer II 420
Memory 32Gb G-Skill Trident Z Neo @3806MHz C14
Video Card(s) MSI GeForce RTX2070
Storage Seagate FireCuda 530 1TB
Display(s) Samsung G9 49" Curved Ultrawide
Case Cooler Master Cosmos
Audio Device(s) O2 USB Headphone AMP
Power Supply Corsair HX850i
Mouse Logitech G502
Keyboard Cherry MX
Software Windows 11
Bloody hell Intel!
 
Joined
Oct 27, 2009
Messages
1,129 (0.21/day)
Location
Republic of Texas
System Name [H]arbringer
Processor 4x 61XX ES @3.5Ghz (48cores)
Motherboard SM GL
Cooling 3x xspc rx360, rx240, 4x DT G34 snipers, D5 pump.
Memory 16x gskill DDR3 1600 cas6 2gb
Video Card(s) blah bigadv folder no gfx needed
Storage 32GB Sammy SSD
Display(s) headless
Case Xigmatek Elysium (whats left of it)
Audio Device(s) yawn
Power Supply Antec 1200w HCP
Software Ubuntu 10.10
Benchmark Scores http://valid.canardpc.com/show_oc.php?id=1780855 http://www.hwbot.org/submission/2158678 http://ww
sop 8 chip flasher with clip is like $3 of hardware not $400, This is why microsoft said they didn't include thunderbolt on their devices, inherently insecure to have external pcie. Turns out relying on an external device to say it is secure doesn't work so well.
 

OneMoar

There is Always Moar
Joined
Apr 9, 2010
Messages
8,740 (1.71/day)
Location
Rochester area
System Name RPC MK2.5
Processor Ryzen 5800x
Motherboard Gigabyte Aorus Pro V2
Cooling Enermax ETX-T50RGB
Memory CL16 BL2K16G36C16U4RL 3600 1:1 micron e-die
Video Card(s) GIGABYTE RTX 3070 Ti GAMING OC
Storage ADATA SX8200PRO NVME 512GB, Intel 545s 500GBSSD, ADATA SU800 SSD, 3TB Spinner
Display(s) LG Ultra Gear 32 1440p 165hz Dell 1440p 75hz
Case Phanteks P300 /w 300A front panel conversion
Audio Device(s) onboard
Power Supply SeaSonic Focus+ Platinum 750W
Mouse Kone burst Pro
Keyboard EVGA Z15
Software Windows 11 +startisallback
so it requires extended physical access to the machine as well as removing the cases access panel to execute

slow news day eh ?

in other news people that have physical access to your computer can steal your data

article title is blately misleading its not 5 minutes try more like 15 minutes to get all the hardware setup probably closer to 20 if you need be fiddling with your hardware probe to get a solid connection anybody thats ever used these SOIC clips knows they are pain in the ass and depending on the board and the bios chip style you may not even have access

btw I can bypass the windows login screen by booting the pc from the windows setup disk and renaming a file witch btw requires no hardware mods no special software and in reality probably about 5 minutes


can we stop with the fear mongering please holy fuck its so easy to make the uneducated whip them selves into a panic
 
Last edited:
Joined
Nov 11, 2019
Messages
62 (0.04/day)
Location
Germany
Processor Ryzen 5 3600
Motherboard MSI B450M Gaming Plus
Cooling EK Supremacy EVO, Bykski N-GV1080TIG1-X (Gigabyte 1080TI Turbo) [280mm front, 240mm top, 120mm back]
Memory 16GiB 3600Mhz CL16 Patriot Viper
Video Card(s) Gigabyte GTX 1080Ti Turbo
Storage 4TiB Seagate Baracuda + 256 GiB Samsung 970 Evo Plus (StoreMI) & 500GiB Intenso SSD
Display(s) MSI Optix MAG271CR
Case CoolerMaster NR600
Power Supply Seagate Focus Plus 650 Watt GOLD
Mouse Sharkoon SHARK Force
Keyboard ReIDEA KM06
in other news people that have physical access to your computer can steal your data
you are right about that... But this is not about how practical it is, but the fact that it exists. It's not like suddenly physical access make data theft possible but more like it's yet another way to steal data which should not exist in the first place.
 
Joined
Oct 22, 2014
Messages
13,210 (3.83/day)
Location
Sunshine Coast
System Name Black Box
Processor Intel Xeon E3-1260L v5
Motherboard MSI E3 KRAIT Gaming v5
Cooling Tt tower + 120mm Tt fan
Memory G.Skill 16GB 3600 C18
Video Card(s) Asus GTX 970 Mini
Storage Kingston A2000 512Gb NVME
Display(s) AOC 24" Freesync 1m.s. 75Hz
Case Corsair 450D High Air Flow.
Audio Device(s) No need.
Power Supply FSP Aurum 650W
Mouse Yes
Keyboard Of course
Software W10 Pro 64 bit
Bloody hell Intel!
Apple.
It was a joint Intel and Apple collaboration to develop, but Apple is the main one pushing it as a standard.
 
Last edited:
Joined
May 2, 2017
Messages
7,762 (3.08/day)
Location
Back in Norway
System Name Hotbox
Processor AMD Ryzen 7 5800X, 110/95/110, PBO +150Mhz, CO -7,-7,-20(x6),
Motherboard ASRock Phantom Gaming B550 ITX/ax
Cooling LOBO + Laing DDC 1T Plus PWM + Corsair XR5 280mm + 2x Arctic P14
Memory 32GB G.Skill FlareX 3200c14 @3800c15
Video Card(s) PowerColor Radeon 6900XT Liquid Devil Ultimate, UC@2250MHz max @~200W
Storage 2TB Adata SX8200 Pro
Display(s) Dell U2711 main, AOC 24P2C secondary
Case SSUPD Meshlicious
Audio Device(s) Optoma Nuforce μDAC 3
Power Supply Corsair SF750 Platinum
Mouse Logitech G603
Keyboard Keychron K3/Cooler Master MasterKeys Pro M w/DSA profile caps
Software Windows 10 Pro
sop 8 chip flasher with clip is like $3 of hardware not $400, This is why microsoft said they didn't include thunderbolt on their devices, inherently insecure to have external pcie. Turns out relying on an external device to say it is secure doesn't work so well.
If the procedure requires disassembly of the laptop to access and reprogram a chip, the question of external PCIe is rather moot, no? Disassembling the laptop would give access to any m.2 ports, WiFi ports, etc, so getting access to PCIe that way really isn't difficult.
 
Joined
Feb 3, 2017
Messages
3,475 (1.33/day)
Processor R5 5600X
Motherboard ASUS ROG STRIX B550-I GAMING
Cooling Alpenföhn Black Ridge
Memory 2*16GB DDR4-2666 VLP @3800
Video Card(s) EVGA Geforce RTX 3080 XC3
Storage 1TB Samsung 970 Pro, 2TB Intel 660p
Display(s) ASUS PG279Q, Eizo EV2736W
Case Dan Cases A4-SFX
Power Supply Corsair SF600
Mouse Corsair Ironclaw Wireless RGB
Keyboard Corsair K60
VR HMD HTC Vive
This list of vulnerabilities they found, copy-paste from the report:
In this report, we disclose the following vulnerabilities:

1. Inadequate firmware verification schemes.
Thunderbolt host and device controllers operate using updatable firmware stored in its SPI flash. Using this feature, Thunderbolt hardware vendors occasionally provide firmware updates online to address product issues post-release. To ensure firmware authenticity, upon writing the image to the flash, Thunderbolt controllers verify the firmware’s embedded signature against Intel’s public key stored in silicon. However, we have found authenticity is not verified at boot time, upon connecting the device, or at any later point. During our experiments, using a SPI programmer, we have written arbitrary, unsigned firmware directly onto the SPI flash. Subsequently, we have been able to verify Thunderbolt controller operation using our modified firmware.

2. Weak device authentication scheme.
As noted in Section 1, device identification comprises several strings and numerical identifiers. However, we have found none of the identifiers are linked to the Thunderbolt PHY or one another, cryptographically or otherwise.

3. Use of unauthenticated device metadata.
Thunderbolt controllers store device metadata in a firmware section referred to as Device ROM (DROM). We have found that the DROM is not cryptographically verified. Following from the first issue, this vulnerability enables constructing forged Thunderbolt device identities. In addition, when combined with the second issue, forged identities may partially or fully comprise arbitrary data. Figure 2 demonstrates a device passing authentication while presenting a forged DROM to the host.

4. Backwards compatibility.
Thunderbolt 3 host controllers support Thunderbolt 2 device connectivity, irrespective of Security Levels. Such backwards compatibility subjects Thunderbolt 3-equipped systems to vulnerabilities introduced by Thunderbolt 2 hardware.

5. Use of unauthenticated controller configurations.
In UEFI, users may choose to employ a Security Level different to the default value (SL1) as listed in Section1. In storing Security Level state, we have determined that Thunderbolt employs two state machines, with one instance being present in UEFI, and another residing in host controller firmware. However, we have found firmware configuration authenticity is not verified at boot time, upon resuming from sleep, or at any later point. In addition, we have found these states machines may be subjected to desynchronization, with controller firmware overriding UEFI state without being reflected in the latter. As such, this vulnerability subjects the Thunderbolt host controller to unauthenticated, covert overriding of Security Levels configuration.

6. SPI flash interface deficiencies.
As noted before, Thunderbolt systems rely on SPI flash to store controller firmware (vulnerability 1) and maintain their Security Level state (vulnerability 5). In our study, we have found Thunderbolt controllers lack handling hardware error conditions when interacting with flash devices. Specifically, we have determined enabling flash write protection (i) prevents changing the Security Level configuration in UEFI, again without being reflected in the latter, and (ii) prevents controller firmware from being updated, without such failures being reflected in Thunderbolt firmware update applications. As such, when combined with the fifth issue, this vulnerability allows to covertly, and permanently, disable Thunderbolt security and block all future firmware updates.

7. No Thunderbolt security on Boot Camp.
Apple supports running Windows on Mac systems using the Boot Camp utility [2]. Aside from Windows, this utility may also be used to install Linux. When running either operating system, Mac UEFI disables all Thunderbolt security by employing the Security Level “None” (SL0). As such, this vulnerability subjects the Mac system to trivial Thunderbolt-based DMA attacks.
 
Joined
Aug 7, 2019
Messages
334 (0.20/day)
I think we are watching the fall of an empire. Intel must thank having a diversified portfolio and having bought half the industry because their traditional business is in absolute decadence.
 

hat

Enthusiast
Joined
Nov 20, 2006
Messages
21,731 (3.43/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: i5 10400
Motherboard ASUS P8P67 Pro :: ASUS Prime H570-Plus
Cooling Cryorig M9 :: Stock
Memory 4x4GB DDR3 2133 :: 2x8GB DDR4 2400
Video Card(s) PNY GTX1070 :: Integrated UHD 630
Storage Crucial MX500 1TB, 2x1TB Seagate RAID 0 :: Mushkin Enhanced 60GB SSD, 3x4TB Seagate HDD RAID5
Display(s) Onn 165hz 1080p :: Acer 1080p
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro - Bose Companion 2 Series III :: None
Power Supply FSP Hydro GE 550w :: EVGA Supernova 550
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
Hmm, so if you have physical access to a computer and specialized hardware, you can do bad things. Whodathunkit?
 
Joined
Feb 3, 2017
Messages
3,475 (1.33/day)
Processor R5 5600X
Motherboard ASUS ROG STRIX B550-I GAMING
Cooling Alpenföhn Black Ridge
Memory 2*16GB DDR4-2666 VLP @3800
Video Card(s) EVGA Geforce RTX 3080 XC3
Storage 1TB Samsung 970 Pro, 2TB Intel 660p
Display(s) ASUS PG279Q, Eizo EV2736W
Case Dan Cases A4-SFX
Power Supply Corsair SF600
Mouse Corsair Ironclaw Wireless RGB
Keyboard Corsair K60
VR HMD HTC Vive
I read through the rest of the report. It all boils down to being able to reflash the Thunderbolt firmware. Once you are able to do that, there are several attack vectors.
The real problem seems to be that there simply are not enough checks and verifications to properly detect incorrect firmware and at least raise an alarm if that is the case.
 
Joined
Aug 27, 2011
Messages
296 (0.06/day)
System Name Gaming PC/ EDU PC/ HFS PC
Processor Intel i9-9900KF/ Dual Ryzen 7 2700X
Motherboard Asrock Z390 Taichi Ultimate/ Dual Asrock X370 Proffesional Gaming
Cooling Noctua NH-C14S/ Arctic Xtreme Freezer/ Ryzen Wraith Prysm RGB
Memory 64GB Corsair Vengeance PRO RGB 3200/ 32GB Corsair Dominator 3000/ 16GB Corsair Vengeance Pro 3200
Video Card(s) EVGA RTX 3080 FTW3 Ultra / MSI RTX 2080Ti Ventus / EVGA GTX 1060 SC Gaming
Storage Dual 970 EVO Plus 1TB + 6Tb 860 EVO/ 960 EVO 500GB + 18Tb R0/ 840EVO 250Gb + 16Tb R0
Display(s) Samsung 32" U32R590 Curved 3480x2160 / Samsung 32" LC32H711 Curved 2560x1440 Freesync
Case Cooler Master Stacker 830 NV Edition/ Dual Cooler Master 690 Advance II
Audio Device(s) Creative X-Fi Surround 5.1 SBX/ Creative X-Fi Titanium Pci-E/ On-board Realtek
Power Supply Triple Corsair Platinum HX850i
Mouse Logitech G7 WL / Logitech G903 Lightspeed / MS BT 8000
Keyboard Dual Logitech G19s
Software Win10 Pro
thank god that this is not so common interface like usb and it's not present in 99% of pc's...
 
Joined
Mar 16, 2017
Messages
1,633 (0.64/day)
Location
Tanagra
System Name Budget Box
Processor Xeon E5-2667v2
Motherboard ASUS P9X79 Pro
Cooling Some cheap tower cooler, I dunno
Memory 32GB 1866-DDR3 ECC
Video Card(s) XFX RX 5600XT
Storage WD NVME 1GB
Display(s) ASUS Pro Art 27"
Case Antec P7 Neo
What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.
 
Joined
Mar 10, 2010
Messages
11,878 (2.31/day)
Location
Manchester uk
System Name RyzenGtEvo/ Asus strix scar II
Processor Amd R5 5900X/ Intel 8750H
Motherboard Crosshair hero8 impact/Asus
Cooling 360EK extreme rad+ 360$EK slim all push, cpu ek suprim Gpu full cover all EK
Memory Corsair Vengeance Rgb pro 3600cas14 16Gb in four sticks./16Gb/16GB
Video Card(s) Powercolour RX7900XT Reference/Rtx 2060
Storage Silicon power 2TB nvme/8Tb external/1Tb samsung Evo nvme 2Tb sata ssd/1Tb nvme
Display(s) Samsung UAE28"850R 4k freesync.dell shiter
Case Lianli 011 dynamic/strix scar2
Audio Device(s) Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply corsair 1200Hxi/Asus stock
Mouse Roccat Kova/ Logitech G wireless
Keyboard Roccat Aimo 120
VR HMD Oculus rift
Software Win 10 Pro
Benchmark Scores 8726 vega 3dmark timespy/ laptop Timespy 6506
Is this going to transfer to usb4
 
Joined
Feb 3, 2017
Messages
3,475 (1.33/day)
Processor R5 5600X
Motherboard ASUS ROG STRIX B550-I GAMING
Cooling Alpenföhn Black Ridge
Memory 2*16GB DDR4-2666 VLP @3800
Video Card(s) EVGA Geforce RTX 3080 XC3
Storage 1TB Samsung 970 Pro, 2TB Intel 660p
Display(s) ASUS PG279Q, Eizo EV2736W
Case Dan Cases A4-SFX
Power Supply Corsair SF600
Mouse Corsair Ironclaw Wireless RGB
Keyboard Corsair K60
VR HMD HTC Vive
Is this going to transfer to usb4
https://thunderspy.io/ said:
USB 4 is based on Thunderbolt 3. Is this interface affected as well?
On September 3, 2019, USB-IF announced the final specification of USB 4. Among its key features is support for Thunderbolt-based signaling. While USB 4 controllers and peripherals have not yet become readily available, we would encourage users to exercise caution until such hardware has been unequivocally found to address all Thunderspy vulnerabilities.
 
Joined
Aug 7, 2019
Messages
334 (0.20/day)
What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.

Apple seems to be doing its thing too: https://9to5mac.com/2020/05/11/thunderbolt-security-flaws/

MacOS employs (i) an Apple-curated whitelist in place of Security Levels, and (ii) IOMMU virtualization when hardware and driver support is available. Vulnerabilities 2–3 enable bypassing the first protection measure, and fully compromising authenticity of Thunderbolt device metadata in MacOS “System Information”. However, the second protection measure remains functioning and hence prevents any further impact on victim system security via DMA. The system becomes vulnerable to attacks similar to BadUSB. Therefore, MacOS is partially affected.
 

TheLostSwede

News Editor
Joined
Nov 11, 2004
Messages
15,996 (2.26/day)
Location
Sweden
System Name Overlord Mk MLI
Processor AMD Ryzen 7 7800X3D
Motherboard Gigabyte X670E Aorus Master
Cooling Noctua NH-D15 SE with offsets
Memory 32GB Team T-Create Expert DDR5 6000 MHz @ CL30-34-34-68
Video Card(s) Gainward GeForce RTX 4080 Phantom GS
Storage 1TB Solidigm P44 Pro, 2 TB Corsair MP600 Pro, 2TB Kingston KC3000
Display(s) Acer XV272K LVbmiipruzx 4K@160Hz
Case Fractal Design Torrent Compact
Audio Device(s) Corsair Virtuoso SE
Power Supply be quiet! Pure Power 12 M 850 W
Mouse Logitech G502 Lightspeed
Keyboard Corsair K70 Max
Software Windows 10 Pro
Benchmark Scores https://valid.x86.fr/5za05v
Look at this way, there's now a way to get access to your computer if you forgot the password... :p

What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.
MacOS is BSD based which is sort of based on Unix, so who knows.

If the procedure requires disassembly of the laptop to access and reprogram a chip, the question of external PCIe is rather moot, no? Disassembling the laptop would give access to any m.2 ports, WiFi ports, etc, so getting access to PCIe that way really isn't difficult.
Sure, but this seems like it might be a way to get around encrypted drives, if nothing else.
 
Joined
Oct 27, 2009
Messages
1,129 (0.21/day)
Location
Republic of Texas
System Name [H]arbringer
Processor 4x 61XX ES @3.5Ghz (48cores)
Motherboard SM GL
Cooling 3x xspc rx360, rx240, 4x DT G34 snipers, D5 pump.
Memory 16x gskill DDR3 1600 cas6 2gb
Video Card(s) blah bigadv folder no gfx needed
Storage 32GB Sammy SSD
Display(s) headless
Case Xigmatek Elysium (whats left of it)
Audio Device(s) yawn
Power Supply Antec 1200w HCP
Software Ubuntu 10.10
Benchmark Scores http://valid.canardpc.com/show_oc.php?id=1780855 http://www.hwbot.org/submission/2158678 http://ww
so it requires extended physical access to the machine as well as removing the cases access panel to execute

slow news day eh ?

in other news people that have physical access to your computer can steal your data

article title is blately misleading its not 5 minutes try more like 15 minutes to get all the hardware setup probably closer to 20 if you need be fiddling with your hardware probe to get a solid connection anybody thats ever used these SOIC clips knows they are pain in the ass and depending on the board and the bios chip style you may not even have access

btw I can bypass the windows login screen by booting the pc from the windows setup disk and renaming a file witch btw requires no hardware mods no special software and in reality probably about 5 minutes


can we stop with the fear mongering please holy fuck its so easy to make the uneducated whip them selves into a panic

It sounds like it was requiring access to the thunderbolt cable or external thunderbolt device not the host... I have used the clips, it's not that hard, and pretty sure all thunderbolt cable chips are the same.
I will read more about this... if it truly does require host access and cable access, you will have quicker luck with the pcie vulnerabilities themselves as it has no security ....

It sounds like it was requiring access to the thunderbolt cable or external thunderbolt device not the host... I have used the clips, it's not that hard, and pretty sure all thunderbolt cable chips are the same.
I will read more about this... if it truly does require host access and cable access, you will have quicker luck with the pcie vulnerabilities themselves as it has no security ....

Thunderspy enables creating arbitrary Thunderbolt device identities and cloning user-authorized Thunderbolt devices, even in the presence of Security Levels pre-boot protection and cryptographic device authentication.

While the permanent disablement of security requires host disassembly and modification the other attack vectors do not. AKA, plug device into locked system and gain access. Universal key. Physical access is usually considered a moot point because it allows for removal of system and time constraints on attack vectors. However gaining network access through a locked system is a big deal, as it can be a supply chain attack or even a parkinglot attack, though I suspect people would be less likey to pick up a thunderbolt cable that has been tampered with than a usb key. That said, people are dumb.
 
Last edited:
Joined
Nov 27, 2007
Messages
2,255 (0.38/day)
System Name HOMECOMPUTER
Processor Intel i9 - 9900k @ 5.1Ghz - 1.31v
Motherboard Asux ROG Maximus XI Hero Wifi
Cooling ek supremacy evo full nickle, 2xEK 360 Radiators, ek d5 pump/res combo, ek full cover 2080ti block
Memory 16GB DDR 3600 Trident Z RGB
Video Card(s) Gigabyte RTX 2080TI
Storage 1xWD black NVME 500GB, 1xSamsung 970 Evo Plus NVME 1TB
Display(s) 2 Dell Gaming 27" 1440P Gsync
Case Lian LI PC-011 Dynamic
Audio Device(s) onboard
Power Supply Evga P2 1200Watt
Mouse Zowie FK1+
Keyboard Corsair Strafe rgb silent
Software Windows 10 Pro
Benchmark Scores i'm working on that
so it requires extended physical access to the machine as well as removing the cases access panel to execute

slow news day eh ?

in other news people that have physical access to your computer can steal your data

article title is blately misleading its not 5 minutes try more like 15 minutes to get all the hardware setup probably closer to 20 if you need be fiddling with your hardware probe to get a solid connection anybody thats ever used these SOIC clips knows they are pain in the ass and depending on the board and the bios chip style you may not even have access

btw I can bypass the windows login screen by booting the pc from the windows setup disk and renaming a file witch btw requires no hardware mods no special software and in reality probably about 5 minutes


can we stop with the fear mongering please holy fuck its so easy to make the uneducated whip them selves into a panic

I don't think you're taking into account the utility of this attack against a corporation and the more and more laptops they give out. When a laptop goes home most decent orgs provide full disk encryption but far fewer offer pre boot authentication such as a pin or pre-boot passcode. This means if a developers laptop was stolen from their car or home and was able to be booted to a desktop, the work of encryption could theoretically be bypassed giving an attacker full access to the files on your machine. Worse even if the developer has pre-boot auth, but simply put his machine to sleep and didn't shut it down.

You clearly lack a good understanding regarding the usefulness of these attacks. There are many many companies that go to great lengths with disk encryption and account lockout policies and in many regards this is a relatively inexpensive way to bypass most of those protective layers.

Is it unlikely? Sure you need physical access. But this not only opens up threats to third parties whom gain physical access but more importantly the growing number of insider threats that pop up year over year. Someone's "stolen" laptop could be from someone in their very company with regular access to the machine or knowledge of that employees whereabouts. This isn't fear mongering, this is a security orgs nightmare. A breach point with little or no hope of ever fixing. Many orgs will most likely move disk encryption to pre-boot authentication, but that comes with a cost to the end user experience and could have major functionality concerns for items like kiosks and publicly accessible endpoints. Thunderbolt is just broken.
 
Joined
Jan 16, 2008
Messages
1,349 (0.23/day)
Location
Milwaukee, Wisconsin, USA
Processor i7-3770K
Motherboard Biostar Hi-Fi Z77
Cooling Swiftech H20 (w/Custom External Rad Enclosure)
Memory 16GB DDR3-2400Mhz
Video Card(s) Alienware GTX 1070
Storage 1TB Samsung 850 EVO
Display(s) 32" LG 1440p
Case Cooler Master 690 (w/Mods)
Audio Device(s) Creative X-Fi Titanium
Power Supply Corsair 750-TX
Mouse Logitech G5
Keyboard G. Skill Mechanical
Software Windows 10 (X64)
What about Apple? The article doesn’t say anything about this working on a Mac, just Windows and Linux. Is macOS immune or just untested? Or maybe it’s just unclear.

Other articles have stated that macOS is not vulnerable to this.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Using an SPI (Serial Peripheral Interface) programmer with a SOP8 clip that connects the pins of the programmer device to the controller,

So not only do you need physical access, you actually need to open and attach a hardware programmer to the PC?

I'll take academic exploits for $200, Alex.

When a laptop goes home most decent orgs provide full disk encryption but far fewer offer pre boot authentication such as a pin or pre-boot passcode. This means if a developers laptop was stolen from their car or home and was able to be booted to a desktop, the work of encryption could theoretically be bypassed giving an attacker full access to the files on your machine. Worse even if the developer has pre-boot auth, but simply put his machine to sleep and didn't shut it down.

No one should be using FDE with only TPM or just autoboot as an auth method. If you are, I can bypass that login screen through several means, not just this. It's pretty darn trivial.
 

OneMoar

There is Always Moar
Joined
Apr 9, 2010
Messages
8,740 (1.71/day)
Location
Rochester area
System Name RPC MK2.5
Processor Ryzen 5800x
Motherboard Gigabyte Aorus Pro V2
Cooling Enermax ETX-T50RGB
Memory CL16 BL2K16G36C16U4RL 3600 1:1 micron e-die
Video Card(s) GIGABYTE RTX 3070 Ti GAMING OC
Storage ADATA SX8200PRO NVME 512GB, Intel 545s 500GBSSD, ADATA SU800 SSD, 3TB Spinner
Display(s) LG Ultra Gear 32 1440p 165hz Dell 1440p 75hz
Case Phanteks P300 /w 300A front panel conversion
Audio Device(s) onboard
Power Supply SeaSonic Focus+ Platinum 750W
Mouse Kone burst Pro
Keyboard EVGA Z15
Software Windows 11 +startisallback
this is how you properly write this article


I don't think you're taking into account the utility of this attack against a corporation and the more and more laptops they give out. When a laptop goes home most decent orgs provide full disk encryption but far fewer offer pre boot authentication such as a pin or pre-boot passcode. This means if a developers laptop was stolen from their car or home and was able to be booted to a desktop, the work of encryption could theoretically be bypassed giving an attacker full access to the files on your machine. Worse even if the developer has pre-boot auth, but simply put his machine to sleep and didn't shut it down.

You clearly lack a good understanding regarding the usefulness of these attacks. There are many many companies that go to great lengths with disk encryption and account lockout policies and in many regards this is a relatively inexpensive way to bypass most of those protective layers.

Is it unlikely? Sure you need physical access. But this not only opens up threats to third parties whom gain physical access but more importantly the growing number of insider threats that pop up year over year. Someone's "stolen" laptop could be from someone in their very company with regular access to the machine or knowledge of that employees whereabouts. This isn't fear mongering, this is a security orgs nightmare. A breach point with little or no hope of ever fixing. Many orgs will most likely move disk encryption to pre-boot authentication, but that comes with a cost to the end user experience and could have major functionality concerns for items like kiosks and publicly accessible endpoints. Thunderbolt is just broken.
you clearly don't have ANY understanding of OpSec

physical access for any length of time = game over you loose thats it you are done

if you have critical data stored locally and are NOT already using pre-boot authentication with full disk encryption you are an idiot and should have your hands cut off

you two options either don't give the machine access to critical data, or lock it down there is no middle ground between security and usability in this case

and most organisations don't even bother with disk encryption so again moot point if the data is stored locally


go away
 
Last edited:
Joined
May 13, 2010
Messages
5,632 (1.11/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 24GB ECC
Video Card(s) Gigabyte Nvidia RTX2060 6GB
Storage 2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Linux Mint 20
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P
It sounds like it was requiring access to the thunderbolt cable or external thunderbolt device not the host... I have used the clips, it's not that hard, and pretty sure all thunderbolt cable chips are the same.
I will read more about this... if it truly does require host access and cable access, you will have quicker luck with the pcie vulnerabilities themselves as it has no security ....



Thunderspy enables creating arbitrary Thunderbolt device identities and cloning user-authorized Thunderbolt devices, even in the presence of Security Levels pre-boot protection and cryptographic device authentication.

While the permanent disablement of security requires host disassembly and modification the other attack vectors do not. AKA, plug device into locked system and gain access. Universal key. Physical access is usually considered a moot point because it allows for removal of system and time constraints on attack vectors. However gaining network access through a locked system is a big deal, as it can be a supply chain attack or even a parkinglot attack, though I suspect people would be less likey to pick up a thunderbolt cable that has been tampered with than a usb key. That said, people are dumb.
Lots of knockoff wlan adapters and shityy ones ppl buy off wish.
 
Top