When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

The presentation discusses the Thunderspy vulnerability in Thunderbolt-equipped systems and how it can be exploited to gain persistent access to victim systems.

• Thunderspy is a vulnerability in Thunderbolt-equipped systems that can be exploited to gain unrestricted read and write access to system memory and data from encrypted drives.
• There are two attack methods: one requires brief access to the laptop to reprogram the host controller firmware, while the other requires brief access to any of the victim's pre-authorized sample devices.
• Security levels in Thunderbolt devices are intended to protect against opportunistic physical access, but Thunderspy can bypass these measures.
• The vulnerability can be used to install a root kit and gain persistent access to victim systems.
• Thunderspy is a powerful and much-needed protection scheme that prevents PCIe endpoints from accessing the PCIe domain and protects against various PCIe inherent attack factors.

The presenter uses the example of a cleaning crew having brief access to a desktop system in an office to illustrate the threat of opportunistic physical access.

Thunderbolt is a high-bandwidth interconnect promoted by Intel and included in laptops, desktops, and other systems. Being PCIe-based, Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O. In an "evil maid" DMA attack, where adversaries obtain brief physical access to the victim system, Maartmann-Moe (Inception), Frisk (PCILeech) and others have shown Thunderbolt to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory. In response, Intel introduced "Security Levels", a security architecture designed to enable users to authorize trusted Thunderbolt devices only. To further strengthen device authentication, the system is said to provide "cryptographic authentication of connections" to prevent devices from spoofing user-authorized devices.We present Thunderspy, a series of attacks that break all primary security claims for Thunderbolt 1, 2 and 3. So far, our research has found seven vulnerabilities: inadequate firmware verification schemes, weak device authentication scheme, use of unauthenticated device metadata, downgrade attack using backwards compatibility, use of unauthenticated controller configurations, SPI flash interface deficiencies, and no Thunderbolt security on Boot Camp. Finally, we present nine practical exploitation scenarios. In an "evil maid" threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB4 and Thunderbolt 4, and will require a silicon redesign.