Thunderbolt is a hardware brand interface and a product of Intel. It helps the communication between the computers and external devices. Most companies prefer the use of Thunderbolt interface. It is easy to crack the security of Thunderbolt using Thunderspy security vulnerability. In this article, we will talk about Thunderspy security vulnerability.
What is Thunderspy and how does it affect your computer?
Thunderspy is an attack, that gives the attacker access to the Direct Memory Access (DMA) functionality. Consequently, it jeopardizes the respective device. This way of attacking a device is indeed cunning, as it is difficult to trace it without any malware being installed in the attacked system or any malicious link, it passes the security and locks the computer altogether.
The attack, if done using the correct tools, takes even less than five minutes. The attacker only needs to have direct access to the computer system. The process goes as follows. The attacker links Thunderbolt Controller Firmware of the source computer to his own device, and controls it. Next, the attacker uses a firmware patcher (TCFP) to disable the security mode installed in the firmware. The modified version is transferred to the target device with the use of Bus Pirate device. It is followed by the connection of the Thunderbolt-based attack device to the target itself. Next, the windows sign-in is breached using PCILeech tool that helps to load a kernel module to bypass. Thus, it bypasses a plethors of security systems. This includes Secure Boot, strong BIOS, operating system account passwords, and enabled full disk encryption.
How to deal with the Thunderpy security vulnerability?
Check out the popular three recommended ways by Microsoft to handle the security vulnerability.
Secured-Core PC Protections
Microsoft’s in-built security for Windows operating system has Defender System Guard and a virtualization-based security. The basic requirement is a computer that can use Secured-core PCs. Secured core PCs deploy rooted hardware security in the CPU. This launches the system into a secured and trusted form. This method helps to mitigate the attempts, made at the firmware level.
Also Read: 5 Cybersecurity Tips For 2020
Kernel DMA protection
This was introduced with Windows 10. It helps to block external peripherals and makes sure that it is secured from it. Also, added to this is Direct Memory Access (DMA) attacks, carried out by hotplug devices such as Thunderbolt. Thus, if the attacker wants to try and copy malicious thunderbolt firmware (As the process) to your system, it will be blocked at the Thunderbolt port itself. In such case, the attacker is unaware of the username and password: otherwise he can get past it.
Hardening protection with Hypervisor-protected code integrity (HVCI)
Hypervisor protected code integrity or HVCI should be enabled on Windows 10. It isolates the code integrity subsystem and checks the Kernel code to verify it with its own. After verification is done, it is signed by Microsoft and an acknowledgment is sent. Additionally, it also makes sure that the kernel code is non-executable or non-writable. So, the unverified code fails to execute. Thunderspy uses a PCILeech tool. It loads a kernel and bypass all security to login into the system including the Windows sign-in. This, along with HVCI can prevent the code from being executed.
Whenever you are purchasing a device, security should be the topmost concern. Your business data or any other secure data that is supposed to stay private will be kept tight if you invest in security. The above ways mentioned can be achieved on a Secured-core PC only and not on a regular PC because the hardware required to keep you safe from attack isn’t available at all. You can look into the Devic Security section of the Windows Security app for your options. Also, having a Secured-code PC will help you a lot.
Leave a Reply