How to protect your Mac from the Thunderbolt security flaw

Just a few weeks ago a video leaked that showed a Microsoft employee discussing Microsoft’s stance on Thunderbolt 3 – indicating that it wasn’t being used on the Surface products because it wasn’t considered safe due to concerns about “indirect memory access.”

Now a security researcher from the Technical University of Eindhoven has detailed a number of serious security vulnerability in the Thunderbolt interface protocol developed jointly by Intel and Apple.

Security researcher Björn Ruytenberg’s report details the security vulnerabilities in Thunderbolt 2 and Thunderbolt 3, known as “Thunderspy”.

The vulnerabilities affect any Windows, Linux, or macOS computer with a Thunderbolt 2 or Thunderbolt 3 port that was produced before 2019.

Ruytenberg highlights seven vulnerabilities:

1. Inadequate firmware verification schemes
2. Weak device authentication scheme
3. Use of unauthenticated device metadata
4. Downgrade attack using backwards compatibility
5. Use of unauthenticated controller configurations
6. SPI flash interface deficiencies
7. No Thunderbolt security on Boot Camp

According to Ruytenberg, the most up-to-date macOS is no protection. He explains that a hacker could use a Thunderbolt device (which would cost a few hundred pounds) to copy the security ID of your device and then use it to perform port-based attacks.

The hacker would need physical access to your computer but would potentially be able to bypass password-protection and an encrypted hard drive.

According to Ruytenberg, the vulnerabilities cannot be entirely patched by software. A hardware redesign would be necessary to stamp them out.

Ruytenberg demonstrates how the attack works in a video. He removes the cover of a Lenovo ThinPad laptop and connects his hacker hardware. This accessory deactivates the notebook’s security barriers and logs in the hacker as if he had the password for the protected hardware. The process only takes a few minutes.

Thunderspy is not the first security breach security experts have discovered in Thunderbolt. In 2019 a gap was discovered that allowed hackers to take over devices via USB-C or DisplayPort.

Are you at risk from Thunderspy?

As a Mac user should you be concerned? Not overly so.

One key reason not to be worried right now it that to gain access to your Mac via the Thunderbolt port the criminally inclined need to have access to your Mac for around five minutes and a Thunderbolt hacking device. In the current situation of being in lockdown it’s unlikely that anyone with malicious intent will gain access to your Mac. So there’s no need to panic yet, but what about when we are allowed to go and sit in a coffee shop while we work or study?

However, even those Mac users who are taking their Macs outside have no real reason for concern. For starters Macs are only partially vulnerable to two of the vulnerabilities mentioned above:

• Weak device authentication scheme
• Use of unauthenticated device metadata

There is an exception though: If you are running Windows or Linus via Boot Camp on your Mac then you’re vulnerable to all of the vulnerabilities.

This is because when Mac users start Windows via Boot Camp the Thunderbolt controller is set to security level “none” (SLO). This means that the hacker (with access and the right equipment) could bypass the lock screen and access the contents of your RAM or hard drive.

How to protect yourself from Thunderbolt hacks

• Update to at least macOS 10.12.4. This will minimise the dangers of the Thunderspy vulnerability.
• Even with an up-to-date installation of macOS you should ensure that you never leave your Mac turned on and unattended – even if the screen is locked.
• You should never connect devices to your Mac if you don’t know where they have come from. Similarly you shouldn’t share your own Thunderbolt peripherals with others. And don’t leave Thunderbolt peripherals unattended.
• If you use Boot Camp turn it off whenever your Mac is left unattended.
• We expect Apple to release a software update in the near future to make Boot Camp more secure. When it does you should upgrade.

Ruytenberg also recommends that users:

• Provide adequate physical security when storing your system and all Thunderbolt devices, including Thunderbolt-powered displays.
• Consider using Suspend-to-Disk or turning off the system completely. In particular, avoid using Suspend-to-RAM.

Intel’s statement

In a blog post, Intel reacted to Thunderspy saying that the gap is not new. Intel claims that it had already solved the problem with the release of a new operating system last year.

According to Wired however, this kernel direct memory access protection has not yet been implemented by all hardware manufacturers. Protection was not found in Dell devices. Only a few Lenovo and HP laptops used it. According to Ruytenberg, the only way to protect yourself against Thunderspy attacks is to deactivate Thunderbolt in the BIOS.

Intel’s statement: In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.

Here’s the tweet regarding Intel’s decision not to use Thunderbolt

Surfaces don’t have Thunderbolt because its insecure ? pic.twitter.com/lb7YYOOQ4Y

— WalkingCat (@h0x0d) April 25, 2020

If you are interested in the state of Mac security you might be interested to read the following:

Do Macs get Viruses and should I have antivirus software.

Complete list of all the Mac viruses, malware and security flaws.

Reviews of the best Mac antivirus software.