Serious Thunderbolt security weaknesses leave millions of Macs open to attack with no patch

By

A Thunderbolt 3 cable is also a USB4 cable.
'Thunderspy' can reportedly compromise data with no current fix available.
Photo: Caldigit

Seven security flaws have been found impacting Macs with Thunderbolt ports sold since 2011 with no indications that current security schemes can prevent the attacks from happening.

Dutch security researcher Björn Ruytenberg released a report Sunday detailing nine attack scenarios, including the ability to quickly steal data from encrypted drives and memory. 

Calling the issue ‘Thunderspy’, Ruytenberg warned that even when following best security practices, the attacks could not be defeated and that the vulnerability cannot be fixed with a simple patch.

“If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep,” he wrote.

The vulnerabilities are present in all computers – including Macs – with Thunderbolt/Thunderbolt-compatible USB-C ports shipped between 2011 and 2020.

This attack is essentially performed by fooling the Mac into thinking the device and software attached to it is an Apple-approved Thunderbolt accessory.

Ruytenberg said he found seven vulnerabilities in Intel’s design and developed nine “realistic scenarios” to compromise Macs past the defenses that embedded protection commands built into the Intel-made component.

The Details

The seven vulnerabilities include:

  • Inadequate firmware verification schemes
  • A weak device authentication scheme
  • Use of unauthenticated device metadata
  • Downgrade attack using backwards compatibility
  • Use of unauthenticated controller configurations
  • SPI flash interface deficiencies
  • No Thunderbolt security on Boot Camp

The most serious of the compromises appears to be the ability to permanently disable Thunderbolt security and block all future firmware updates without the computer’s owner knowing. Depending on how the computer was compromised, “recovering from this attack may require significant technical expertise, or may not be possible at all,” the study said.

The report stated, “The Thunderspy vulnerabilities cannot be fixed in software, impact[ing] future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign.”

The report’s author said Intel had been informed of the issues. Apple, he said, had also been and contacted regarding the vulnerability to security on Boot Camp, a macOS utility that assists users in installing Microsoft Windows operating systems on Intel-based Macintosh computers.

Protection advice

Ruytenberg recommended a number of ways to protect Macs from the security issue, including:

  • Connect only your own Thunderbolt peripherals. Never lend them to anybody.
  • Avoid leaving your system unattended while powered on, even when screen locked.
  • Avoid leaving your Thunderbolt peripherals unattended.
  • Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
  • Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).

The report said passing Thunderbolt connected devices through a USB/Display Port will “not be sufficient to protect your system from Thunderspy.”

In a usual reply to the security breach report, Ruytenberg said Apple responded by stating, “Some of the hardware security features you outlined are only available when users run macOS. If users are concerned about any of the issues in your paper, we recommend that they use macOS.”

An Apple spokesperson was contacted but not immediately available for comment on the issue to Cult of Mac.