Unfixable Flaw Found in Thunderbolt Port that Unlocks any PC in Less Than 5 Minutes

[Pickles von Brine]

Quote

Dutch researcher from the Eindhoven University of Technology has found a new vulnerability in Thunderbolt port that allows attackers with physical access to unlock any PC running Windows or Linux kernel-based OS in less than 5 minutes. The researcher of the university called Björn Ruytenberg found a method which he calls Thunderspy, which can bypass the login screen of any PC. This attack requires physical access to the device, which is, of course, dangerous on its own if left with a person of knowledge. The Thunderbolt port is a fast protocol, and part of the reason why it is so fast is that it partially allows direct access to computer memory. And anything that can access memory directly is a potential vulnerability...

 Using an SPI (Serial Peripheral Interface) programmer with a SOP8 clip that connects the pins of the programmer device to the controller, the attacker just runs a script from there. This procedure requires around $400 worth of hardware. 

Source
Thunderspy - More details

Well now, that isn't something you see everyday. Talk about a hell of a vulnerablility. People are bent out of shape about Surface books not having thunderbolt on them and this just further secures as to why. Microsoft stated they had a vulnerability and this one is one of one at that. I can really see this being a huge problem especially if your laptop got stolen. Couple that with the potential of espionage by nation-states, hacking groups and more it is really a big doozy. Even if it requires physical access, it is the amount of time it takes for someone to get in. That is the part that is scary. 

My question is does this bypass things like Bitlocker?

Upon further reading, I guess not:

 

Quote

Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

The other big thing: Thunderbolt is one of Intel's babies. They just cannot catch a break can they?

A demo of the exploit:
 

 

[Curious Pineapple]

This, people, is why we don't want single port computers. Forget about the absolute clusterfuck if that single port gets damaged, you can't even turn it off and use any external devices at all.

 

I'll stick to my half inch thicker laptops with an array of ports thanks

[Pickles von Brine]

Just now, Curious Pineapple said:

This, people, is why we don't want single port computers. Forget about the absolute clusterfuck if that single port gets damaged, you can't even turn it off and use any external devices at all.

 

I'll stick to my half inch thicker laptops with an array of ports thanks

That and the fact this vulnerability bypasses basically all best practices on the system. Ouch. 

[Curious Pineapple]

Just now, Pickles - Lord of the Jar said:

That and the fact this vulnerability bypasses basically all best practices on the system. Ouch. 

*Awaiting rampage of "but Apple fixed it" comments*

[Pickles von Brine]

1 minute ago, Curious Pineapple said:

*Awaiting rampage of "but Apple fixed it" comments*

Apple isn't mentioned in here, but from I have heard, they do some pretty cool stuff with their security anyways. 
 

 

[TetraSky]

Welp, RIP that connector I guess.

[Pickles von Brine]

Just now, TetraSky said:

Welp, RIP that connector I guess.

It is more of another RIP on intel as well. This is what, 11 vulnerabilities total?

[ARikozuM]

This has been one hell of a decade already... 

[TetraSky]

18 minutes ago, Pickles - Lord of the Jar said:

It is more of another RIP on intel as well. This is what, 11 vulnerabilities total?

Technically, we have Thunderbolt on AMD as well...  Sure it was developed by Intel, but they've opened it since and it doesn't require an Intel CPU.

[Pickles von Brine]

1 minute ago, TetraSky said:

Technically, we have Thunderbolt on AMD as well...  Sure it was developed by Intel, but they've opened it since and it doesn't require an Intel CPU.

Very true, but it was still Intel who made it. So ultimately their name is on it 

[hishnash]

25 minutes ago, Pickles - Lord of the Jar said:

Apple isn't mentioned in here, but from I have heard, they do some pretty cool stuff with their security anyways. 

 

Yer it increases the cost of making the laptop by quite a bit as apple require the T2 chip (a lower binned iPad cpu) for this. Interesting how the T2 chip became a thing just as macs got TB3...  it is a shame apple are so secretive, i expect to know of attacks like this a long time ago, but maybe due to agreements with intel are not able to share them. 

[Curious Pineapple]

2 minutes ago, hishnash said:

Yer it increases the cost of making the laptop by quite a bit as apple require the T2 chip (a lower binned iPad cpu) for this. Interesting how the T2 chip became a thing just as macs got TB3...  it is a shame apple are so secretive, i expect to know of attacks like this a long time ago, but maybe due to agreements with intel are not able to share them. 

And if they fail, the whole machine is dead and data is all gone.

[Pickles von Brine]

31 minutes ago, Curious Pineapple said:

And if they fail, the whole machine is dead and data is all gone.

pretty much

[hishnash]

23 minutes ago, Curious Pineapple said:

And if they fail, the whole machine is dead and data is all gone.

Yep a lot fo that is due to the fact the T2 chip is both the SSD controller (the SDD in T2 macs don't have their own controller chips) and it has an internal crypto key that never leaves its secure enclave. Much like other proper secure boot systems. 

Any form of secure boot that just uses the users password is easy to break. You just clone the first few MB of the hard-drive and fire up a GPU to brute force the user password massively in parallel. This is why MS use the TPM chip on their devices. The T2 chip has some other benefit of the TPM, namely the crypto happens within the T2 so it does not use up your cpu cycles. (if you are putting your cpu under heavy load at the same time as heavy disk access you will find your perf drop on a windows system with secure boot). 

But the most important features of the T2 is the secure boot subsystem, that said i think they could have made it better.

the T2 stores your x86 UEFI on your ssd. That is why if you remove/replace the SSD (on the macPro/iMacPro were it is modular) you cant boot teh system. You need that UEFI.

1) Apple should have put the x86 UEFI on a separate (removable, this is useful for diagnostics) ssd, so that replacing user's the modular SSDs is possible without needing to first load them with the correctly signed UEFI.

2) they should have also made all T2 macs use the modular option

[Pickles von Brine]

5 minutes ago, hishnash said:

Yep a lot fo that is due to the fact the T2 chip is both the SSD controller (the SDD in T2 macs don't have their own controller chips) and it has an internal crypto key that never leaves its secure enclave. Much like other proper secure boot systems. 

Any form of secure boot that just uses the users password is easy to break. You just clone the first few MB of the hard-drive and fire up a GPU to brute force the user password massively in parallel. This is why MS use the TPM chip on their devices. The T2 chip has some other benefit of the TPM, namely the crypto happens within the T2 so it does not use up your cpu cycles. (if you are putting your cpu under heavy load at the same time as heavy disk access you will find your perf drop on a windows system with secure boot). 

But the most important features of the T2 is the secure boot subsystem, that said i think they could have made it better.

the T2 stores your x86 UEFI on your ssd. That is why if you remove/replace the SSD (on the macPro/iMacPro were it is modular) you cant boot teh system. You need that UEFI.

1) Apple should have put the x86 UEFI on a separate (removable, this is useful for diagnostics) ssd, so that replacing user's the modular SSDs is possible without needing to first load them with the correctly signed UEFI.

2) they should have also made all T2 macs use the modular option

Doubt they will ever do that. Good ideas though!

[Curious Pineapple]

11 minutes ago, hishnash said:

Yep a lot fo that is due to the fact the T2 chip is both the SSD controller (the SDD in T2 macs don't have their own controller chips) and it has an internal crypto key that never leaves its secure enclave. Much like other proper secure boot systems. 

Any form of secure boot that just uses the users password is easy to break. You just clone the first few MB of the hard-drive and fire up a GPU to brute force the user password massively in parallel. This is why MS use the TPM chip on their devices. The T2 chip has some other benefit of the TPM, namely the crypto happens within the T2 so it does not use up your cpu cycles. (if you are putting your cpu under heavy load at the same time as heavy disk access you will find your perf drop on a windows system with secure boot). 

But the most important features of the T2 is the secure boot subsystem, that said i think they could have made it better.

the T2 stores your x86 UEFI on your ssd. That is why if you remove/replace the SSD (on the macPro/iMacPro were it is modular) you cant boot teh system. You need that UEFI.

1) Apple should have put the x86 UEFI on a separate (removable, this is useful for diagnostics) ssd, so that replacing user's the modular SSDs is possible without needing to first load them with the correctly signed UEFI.

2) they should have also made all T2 macs use the modular option

1) It's Apple

2) It's Apple

 

Neither will help them screw customers over when things go wrong so don't count on it.

[hishnash]

1 minute ago, Curious Pineapple said:

Neither will help them screw customers over when things go wrong so don't count on it.

I don't think apple actively try to screw customers over they just don't go out of thier way to make it easy for users. 

[suicidalfranco]

welp guess MS didn't lie when they said that they don't put TB on their surfaces because of security reasons

[Curious Pineapple]

12 minutes ago, hishnash said:

I don't think apple actively try to screw customers over they just don't go out of thier way to make it easy for users. 

Are you sure about that? 2 grand repair bill for a damaged (and fixable) pin on a connector says otherwise.

[Pickles von Brine]

11 minutes ago, Curious Pineapple said:

Are you sure about that? 2 grand repair bill for a damaged (and fixable) pin on a connector says otherwise.

2g? They have mail in services that are not so bad. I always go to AASPs vs going to Apple to get my computer fixed. Far more reasonable. 

[Curious Pineapple]

Just now, Pickles - Lord of the Jar said:

2g? They have mail in services that are not so bad. I always go to AASPs vs going to Apple to get my computer fixed. Far more reasonable. 

I don't use Apple machines, it was a CBC undercover report. They took a Macbook in with "no display" (was just no backlight). The "genius" said it was liquid damaged and needed a new board, top case and possibly a screen. Was just a (purposely) damaged cable that took 5 minutes to diagnose and repair.

 

I prefer machines I can buy parts for and fit the next day when they turn up from Amazon My 11 year old HP tank is still going strong

[atxcyclist]

28 minutes ago, hishnash said:

I don't think apple actively try to screw customers over they just don't go out of thier way to make it easy for users. 

Guaranteeing that your data will be lost if your computer/SSD has a hardware failure is actively screwing your customers though. This idea that Joe Schmoe Everyuser needs unbreakable encryption on their laptop is crazy, it's better if data recovery is possible, VS having a device so locked-down that a shorted USB controller frying your logic board makes your data unrecoverable.

[NumLock21]

So for the hacker to do this, they must

1. Have physical access to the machine

2. An iFixit Pro Tech Tool Kit

3. Some DIY circuit board of some sort with a attachment that goes to the TB connector used in the IBM ThinkPad

4. Some other machine that was in the video but was never mentiond

5. A MacBook Pro

6. Some cables

I was expecting some flash drive that was quickly plugged in and the login can be bypassed in seconds, not something like this. All I see is just scare mongering as if having TB is something not to have anymore. That stupid demo just shows how to bypass the login screen, what about TPM, BitLocker, and Hard drive encryption, can it bypass them too.

 

[TempestCatto]

2 hours ago, Curious Pineapple said:

This, people, is why we don't want single port computers. Forget about the absolute clusterfuck if that single port gets damaged, you can't even turn it off and use any external devices at all.

 

I'll stick to my half inch thicker laptops with an array of ports thanks

You just pissed off everyone who likes Apple. lol

[Curious Pineapple]

Just now, TempestCatto said:

You just pissed off everyone who likes Apple. lol

I hope so