There’s plenty of reasons not to leave your laptop unattended, but a Dutch researcher has found yet another. With just a screwdriver and five minutes alone with your computer, a hacker could potentially take advantage of your Thunderbolt port to read and copy all your data—regardless of whether it’s encrypted, locked, or set to sleep.
The method, dubbed Thunderspy, was detailed in a report released by Björn Ruytenberg, a researcher at Eindhoven University of Technology. The issue is that Thunderbolt ports are PCIe-based, meaning they have Direct Memory Access (DMA) and can allow a hacker direct access to your system’s memory with a peripheral device. In what’s called an “evil maid attack”. All a bad actor would have to do is unscrew a backplate, attach a peripheral, reprogram the firmware, reattach the backplate, and voila. That bad actor now has full access to the computer. You can watch a video of the Thunderspy method, and chillingly, it only takes about five minutes in total.
While the outlined method does require someone to physically remove a laptop’s backplate, it’s disturbing because it can completely bypass best security practices like Secure Boot, a strong BIOS and OS password, and full disk encryption. Thunderspy is also stealthy, meaning it leaves no trace that someone’s tampered with your computer. It also requires nothing from the potential victim—no phishing link to click, no malware to download, etc.
Thunderspy affects Thunderbolt 1, 2, and 3, and in a summary blog, Ruytenberg notes seven specific vulnerabilities that could lead to nine “practical exploitation scenarios.” What’s troubling is that Eindhoven researchers say the vulnerabilities can’t be fixed via a software patch, and could potentially affect future standards like the upcoming USB4 and Thunderbolt 4. As for systems impacted, Ruytenberg says Thunderspy affects all Thunderbolt-equipped Windows and Linux computers shipped between 2011 and 2020. Meanwhile, Macs, according to Ruytenberg’s report, are only partially impacted when using MacOS. Apple told Eindhoven researchers that it had opted not to fix the Thunderspy vulnerability as it primarily impacts Mac computers when running Windows or Linux via the Boot Camp utility.
Ruytenberg shared his Thunderspy findings with Intel three months ago. Intel is the primary developer of Thunderbolt tech now (it initially developed it with Apple) and told him it would “not provide any mitigations to address the Thunderspy vulnerabilities,” including releasing public advisories to inform the general public. However, Intel did write a blog addressing Thunderspy, saying it had fixed the issue in 2019 following Thunderclap, a Thunderbolt peripherals vulnerability discovered last year, via a security mechanism called Kernal Direct Memory Access. It also advised that people only use “trusted peripherals” and prevent “unauthorized physical access” to computers.
It’s great if your computer has Kernal Direct Memory Access protections, but the problem is that you won’t find it on computers made prior to 2019. That, and it’s likely you won’t find it on some computers that shipped after 2019 either. According to Wired, no Dell computer has it, including those that shipped after 2019. Some laptops that do include the HP EliteBook and ZBook 2019, the Lenovo’s ThinkPad P53, X1 Carbon 2019, and Yoga C940s with Ice Lake CPUs.
So long as you don’t leave your laptop unattended or in the hands of weirdos, the average person shouldn’t start freaking out. In general, this means you shouldn’t lend your Thunderbolt peripherals to anyone, nor should you leave your computer on sleep when unattended—even if your screen’s locked. But if you’re worried, Eindhoven researchers have developed a free, open-source tool called Spycheck that can help you determine if your computer is vulnerable and what to do to protect it. Meanwhile, the truly paranoid may feel better if they disable their Thunderbolt ports completely.
We’ve reached out to Intel, Apple, and other laptop makers for additional comment, and will update when we hear back.