Intel has confirmed a newly disclosed security flaw that opens a seemingly critical vulnerability on millions of commuters. The so-called “Thunderspy” exploit enables an attacker to “read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”
This type of vulnerability is known as an “evil maid” attack, the idea being your tech is at risk in your hotel room when overseas, or perhaps in the office when the overnight cleaners come around. The point is that physical access to a machine (or phone) is required, out of sight of anyone watching. Obviously, it’s the covert methods of entry (CME) teams within mainstream intelligence agencies rather than opportunistic cleaners that are the risk.
According to Eindhoven University of Technology researcher Björn Ruytenberg, the vulnerability affects all computers with Thunderbolt ports, which means machines going back as far as 2011. And while those machines shipped in the last year or so have had access to Kernel Direct Memory Access (DMA) to shutdown the flaw, it is unclear how many machines have it enabled. Intel did tell me that “this attack could not be successfully demonstrated on systems with Kernel DMA protection.”
Ruytenberg describes would-be Thunderspy attacks as “stealth—meaning that you cannot find any traces of the attack.” He says that armed with a few hundred dollars of kit, an attacker can physically wire into a machine and pull its data, even if that machine is locked or suspended, even if that data is encrypted.
“Even if you follow best security practices by locking or suspending your computer when leaving briefly,” he says, “and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption, all the attacker needs is five minutes alone with the computer, a screwdriver, and some easily portable hardware.”
Should you be worried? Yes—and no. The risk is real, as confirmed by Intel, but a tiny percentage of users would ever be attacked in this way. This is not an over-the-air malware attack, with code planted on your machine through a malicious email attachment. This is a targeted and high-risk attack, your physical machine needs to be accessible and there needs to be a serious reason for an attacker to want to pull your data. While headlines will suggest millions are at risk, that’s not the case.
What there is, though, is an attack vector through which covert operatives can quickly compromise locked machines. “I have even heard of someone finding all the screws from his laptop on the table top after he took it out from his hotel safe,” former British spook Philip Ingram tells me, “this is common in some countries.” He means Russia and China in the main, but not only the obvious protagonists.
“For all systems,” Intel said in its response to the security report, “we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.” If you’re on the road, that’s easier said than done. And this isn’t just a risk for government officials or operatives, think business leaders on overseas trips, delegations, negotiations.
The mitigation is difficult unless you’re in the game. “To certain countries,” Ingram says, “take a burn device with only the data you need for those meetings on a separate USB. Never connect it to any network when you return home and only use it for travel to that country.” I know what you’re thinking—this isn’t practical for normal business travel, once business travel actually starts up again of course.
It gets worse, as well. “If you ever leave it unattended assume the hardware has been compromised,” Ingram warns. “If you have been subject to extended searches at an airport and have lost sight of your IT, assume it has been compromised. Recognise that you are a target and don’t assume you aren’t.”
Ruytenberg lists the vulnerabilities in his write-up, and says they lead to “nine practical exploitation scenarios—we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks.”
This threat is real—there have been hotels I have used in non-obviously risky parts of Asia where the likelihood of a room search by agencies was joked about.
But, again, this is targeted and almost everyone reading this has nothing to worry about. That said, if you do want to check whether your computer is vulnerable, you can check the device using tools on Ruytenberg’s website.
Meanwhile, Intel has said it will address the concerns. “As part of the Security-First Pledge, Intel will continue to improve the security of Thunderbolt technology, and we thank the researchers from Eindhoven University for reporting this to us.”