A report is making the rounds that claims attackers could steal data from a PC or Linux computer even if the computer is locked and the data is encrypted. The report comes from a security researcher called Bjorn Ruytenberg, who says that the technique to steal the data is relatively simple, and it is called "Thunderspy." All the attacker needs is physical access to the computer, and they would be able to steal personal data in only five minutes using a screwdriver and easily portable hardware.
Thunderbolt offers very fast transfer speeds gives direct access to the PC memory, creating several vulnerabilities. Previously researchers believed that weaknesses in the Thunderbolt protocol could be mitigated by disabling access to untrusted devices or disabling Thunderbolt altogether. However, the attack method that Ruytenberg has discovered can get around those settings by changing the firmware that controls the Thunderbolt Port to allow any device access.
The security researcher also notes that the act leaves no trace and the user would never know their PC was altered. To perform the attack, which the researcher dubbed the "evil maid attack" the attacker would only need to unscrew the backplate, attach device momentarily, reprogram the firmware, reattach the backplate, and they would gain full access to the laptop.
The entire attack could be completed in under five minutes with about $400 worth of gear. Required gear includes an SPI programmer and a $200 thunderbolt peripheral. The security researcher says that the entire hardware requirements could be built into a single device. The vulnerability was disclosed Intel on February 10, 2020, and to Apple on April 17. A tool is created called Spycheck to allow users to determine if they are vulnerable to the attack. The researcher says that to mitigate the attack, users should avoid leaving the system unattended while powered on, even if screen locked. Intel released a Thunderbolt security system that works on computers made in 2019 and later. The next iteration of Thunderbolt is Thunderbolt 4, said to be essentially a rebranding of Thunderbolt 3.
An Intel spokesperson told us, "This attack could not be successfully demonstrated on systems with Kernel DMA protection enabled. As always, we encourage everyone to follow good security practices, including preventing unauthorized physical access to computers."