The technique, known as an “evil maid hack”, requires just five minutes to successfully pull off and only requires taking the backplate off of a laptop, for example, to gain access to the Thunderbolt controller. It gets its ‘maid’ moniker from the amount of time a maid might have with a computer in a victim’s hotel room.
Researcher Björn Ruytenberg of the Eindhoven University of Technology published his findings of the flaw, which he calls Thunderspy. The technique can skip past log in and password screens of locked computers and access all internal data including, bypassing any hard disk encryption.
It follows research from last year called Thunderclap that showed simply plugging in a malicious device into Thunderbolt ports can fully compromise a device’s security. The only way to prevent this kind of attack is to disable Thunderbolt connectivity in the computer’s software settings.
But Thunderspy adds a new dimension to the potential insecurity of Thunderbolt. According to Wired, Intel “created a security mechanism known as Kernel Direct Memory Access Protection, which prevents Ruytenberg's Thunderspy attack. But that Kernel DMA Protection is lacking in all computers made before 2019, and it is still not standard today. In fact, many Thunderbolt peripherals made before 2019 are incompatible with Kernel DMA Protection.”
It means that millions of PCs are irreversibly vulnerable to the flaw.
The news comes just days after Microsoft was gently mocked in the tech press after an internal video leaked of a Surface team member saying the company doesn’t use the Thunderbolt standard on its Surface computers due to security risks. After the emergence of Thunderspy, Microsoft’s claims don’t look quite so unfounded as all Surface devices are immune to this particular attack.