16 May 2020

Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking


SECURITY PARANOIACS HAVE warned for years that any laptop left alone with a hacker for more than a few minutes should be considered compromised. Now one Dutch researcher has demonstrated how that sort of physical access hacking can be pulled off in an ultra-common component: The Intel Thunderbolt port found in millions of PCs.

On Sunday, Eindhoven University of Technology researcher Björn Ruytenberg revealed the details of a new attack method he's calling Thunderspy. On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer—and even its hard disk encryption—to gain full access to the computer's data. And while his attack in many cases requires opening a target laptop's case with a screwdriver, it leaves no trace of intrusion and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an "evil maid attack," the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there's no easy software fix, only disabling the Thunderbolt port altogether.

"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg, who plans to present his Thunderspy research at the Black Hat security conference this summer—or the virtual conference that may replace it. "All of this can be done in under five minutes."


'Security Level' Zero

Security researchers have long been wary of Intel's Thunderbolt interface as a potential security issue. It offers faster speeds of data transfer to external devices, in part by allowing more direct access to a computer's memory than other ports, which can lead to security vulnerabilities. A collection of flaws in Thunderbolt components known as Thunderclap revealed by a group of researchers last year, for instance, showed that plugging a malicious device into a computer's Thunderbolt port can quickly bypass all of its security measures.

As a remedy, those researchers recommended that users take advantage of a Thunderbolt feature known as "security levels," disallowing access to untrusted devices or even turning off Thunderbolt altogether in the operating system's settings. That would turn the vulnerable port into a mere USB and display port. But Ruytenberg's new technique allows an attacker to bypass even those security settings, altering the firmware of the internal chip responsible for the Thunderbolt port and changing its security settings to allow access to any device. It does so without creating any evidence of that change visible to the computer's operating system.

"Intel created a fortress around this," says Tanja Lange, a cryptography professor at the Eindhoven University of Technology and Ruytenberg's adviser on the Thunderspy research. "Björn has gotten through all their barriers."

Following last year's Thunderclap research, Intel also created a security mechanism known as Kernel Direct Memory Access Protection, which prevents Ruytenberg's Thunderspy attack. But that Kernel DMA Protection is lacking in all computers made before 2019, and it is still not standard today. In fact, many Thunderbolt peripherals made before 2019 are incompatible with Kernel DMA Protection. In their testing, the Eindhoven researchers could find no Dell machines that have the Kernel DMA Protection, including those from 2019 or later, and they were only able to verify that a few HP and Lenovo models from 2019 or later use it. Computers running Apple's MacOS are unaffected. Ruytenberg is also releasing a tool to determine if your computer is vulnerable to the Thunderspy attack, and whether it's possible to enable Kernel DMA Protection on your machine.
Return of the Evil Maid

Ruytenberg's technique, shown in the video below, requires unscrewing the bottom panel of a laptop to gain access to the Thunderbolt controller, then attaching an SPI programmer device with an SOP8 clip, a piece of hardware designed to attach to the controller's pins. That SPI programmer then rewrites the firmware of the chip—which in Ruytenberg's video demo takes a little over two minutes—essentially turning off its security settings.

"I analyzed the firmware and found that it contains the security state of the controller," Ruytenberg says. "And so I developed methods to change that security state to 'none.' So basically disabling all security." An attacker can then plug a device into the Thunderbolt port that alters its operating system to disable its lock screen, even if it's using full disk encryption.

The full attack Ruytenberg shows in his demo video uses only about $400 dollars worth of equipment, he says, but requires an SPI programmer device and a $200 peripheral that can be plugged into a Thunderbolt port to carry out the direct memory attack that bypasses the lock screen, like the AKiTiO PCIe Expansion Box Ruytenberg used. But he argues that a better-funded hacker could build the entire setup into a single small device for around $10,000. "Three-letter agencies would have no problem miniaturizing this," Ruytenberg says.

The fact that Thunderbolt remains a viable attack method for evil maids isn't entirely unexpected, says Karsten Nohl, a well-known hardware security researcher and founder of SR Labs, who reviewed Ruytenberg's work. Nor should it freak out too many users, he says, given that it requires a certain level of sophistication and physical access to a victim's machine. Still, he was surprised to see how easily Intel's "security levels" can be bypassed. "If you're adding an authentication scheme against hardware attacks and then you implement it in unsecured hardware … that’s the wrong way to tackle a hardware security problem," says Nohl. "It’s a false sense of protection."

Ruytenberg says there's also a less invasive version of his Thunderspy attack, but it requires access to a Thunderbolt peripheral the user has plugged into their computer at some point. Thunderbolt devices set as "trusted" for a target computer contain a 64-bit code that Ruytenberg found he could access and copy from one gadget to another. That way he could bypass a target device's lock screen without even opening the case. "There's no real cryptography involved here," Ruytenberg says. "You copy the number over. And that's pretty much it." That version of the Thunderspy attack only works, however, when the Thunderbolt port's security settings are configured to their default setting of allowing trusted devices.

Ruytenberg shared his findings with Intel three months ago. When WIRED reached out to the company it responded in a blog post noting, as the researchers had, that Kernel DMA Protections prevent the attack. "While the underlying vulnerability is not new, the researchers demonstrated new physical attack vectors using a customized peripheral device," the blog post reads. (The researchers counter that the vulnerability is in fact new, and their attack uses only off-the-shelf components.) "For all systems, we recommend following standard security practices," Intel added, "including the use of only trusted peripherals and preventing unauthorized physical access to computers."
An Unpatchable Flaw

In a statement to WIRED, HP said it offers protection against direct memory attacks via the Thunderbolt port in "most HP Commercial PC and Mobile Workstation products that support Sure Start Gen5 and beyond," which includes systems that have launched since the beginning of 2019. "HP is also unique in that we are the only [computer manufacturer] that provides protection against DMA attacks via internal card (PCI) and Thunderbolt devices," the company added. "Protection from DMA attacks via Thunderbolt is enabled by default."

Lenovo said that it "is assessing this new research along with our partners and will communicate with customers as appropriate." Samsung didn't respond to a request for comment. Dell said in a statement that "customers concerned about these threats should follow security best practices and avoid connecting unknown or untrusted devices to PC ports," and it referred WIRED to Intel for more information. When WIRED asked Intel which computer manufacturers use its Kernel DMA Protection feature, it referred us back to the manufacturers.

Ruytenberg points out that the flaws he found extend to Intel's hardware and can't be fixed with a mere software update. "Basically they will have to do a silicon redesign," he says. Nor can users change the security settings of their Thunderbolt port in their operating system to prevent the attack, given that Ruytenberg discovered how to turn those settings off. Instead, he says that paranoid users may want to disable their Thunderbolt port altogether in their computer's BIOS, though the process of doing so will be different for every affected PC. On top of disabling Thunderbolt in BIOS, users will also need to enable hard disk encryption and turn their computers off entirely when they leave them unattended, in order to be fully protected.

Evil maid attacks have, of course, been possible in some cases for years. Firmware-focused security companies like Eclypsium have demonstrated five-minute physical access hacking of Windows machines using BIOS vulnerabilities, for instance, and WikiLeaks' Vault7 release included information about CIA tools designed to hack Macs' firmware with physical access techniques.

But both of those sorts of attacks are based on vulnerabilities that can be patched; the CIA's attack was blocked by the time news of it leaked in 2017. Thunderspy, on the other hand, remains both unpatched and unpatchable for millions of computers. The owners of those machines may now need to upgrade to a model that has Kernel DMA Protection in place—or think twice about leaving their sleeping computers unattended.

No comments: