Major Thunderbolt Security Exploit ‘Thunderpsy’ Allows Hacker to Steal Data from Encrypted Drive, Partially Affects macOS

Apple MacBook Pro Thunderbolt 3 USB Type-C Ports 6K Video Output

A major security flaw has been discovered in Thunderbolt that affects all PCs featuring the port. This includes Windows, Linux, and even Macs. The flaw allows a hacker to access data on a machine that is locked and even if its drive is encrypted.

The ‘Thunderspy’ security vulnerability consists of 7 security flaws which can be used in nine realistic scenarios. They have been discovered by researcher Björn Ruytenberg of the Eindhoven University of Technology. A hacker with the right set of tools and physical access to a machine with a Thunderbolt port can read and copy all the contents of its drive, even when the drive is encrypted and the PC locked. The hacker only needs around 5 minutes with the machine, though he will have to open it using a screwdriver to attach a malicious Thunderbolt device to it.

Below are the seven vulnerabilities that have been discovered and which affected all versions of Thunderbolt:

  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backwards compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

Since the security flaws are present in the Thunderbolt controller itself, it cannot be patched via a software update. They are also present in the upcoming USB4 standard which is based on Thunderbolt 3.

All Macs with a Thunderbolt port released since 2011 are affected by the exploit as well. However, macOS is only partially affected by Thunderspy. Do note that there is a difference between USB-C and Thunderbolt ports. The 16-inch MacBook Pro and the high-end vairants of the 13-inch MacBook Pro come with four Thunderbolt ports, while only the base 13-inch MacBook Pro comes with two Thunderbolt and two USB-C ports. Apple was also informed about the security vulnerabilities and the company issued the following statement on this:

Some of the hardware security features you outlined are only available when users run macOS. If users are concerned about any of the issues in your paper, we recommend that they use macOS.”

You can read more about Thunderspy here.