Security researcher Björn Ruytenberg with the Eindhoven University of Technology recently published a report detailing a series of serious security vulnerabilities in Thunderbolt 2 and Thunderbolt 3, collectively called “Thunderspy.”
They affect every single computer with a Thunderbolt 2 or Thunderbolt 3 port, including old-style port connectors and new Type-C connectors, whether the computers are running Windows, Linux, or macOS.
How badly does this security flaw impact Mac users? Should you freak out about someone hacking into your MacBook the next time you get up from your desk to refill your coffee?
Seven Thunderspy vulnerabilities
Ruytenberg describes seven vulnerabilities in his paper. They are as follows.
Inadequate firmware verification schemes.
Weak device authentication scheme.
Use of unauthenticated device metadata.
Use of unauthenticated controller configurations.
SPI flash interface deficiencies.
No Thunderbolt security on Boot Camp.
It’s beyond the scope of this article to get into exactly what each of these mean and how they can be exploited to breach systems with Thunderbolt ports.
Just know this: Macs are only susceptible to vulnerabilities 2 and 3 when running macOS, and even then only partially so. Running Windows or Linux on your Mac using Boot Camp makes you vulnerable to all of them.
How you could be hacked
The good news is that it would not necessarily be easy for a hacker to break into your Mac with these exploits. They have to have physical access to your computer and a prepared Thunderbolt hacking device.
These sorts of vulnerabilities are often called “evil maid” threats. They require the attacker to have unimpeded and undetected access to your computer for at least a few minutes. It’s highly unlikely someone would be able to take advantage of these exploits if you closed the lid of your MacBook and stepped away from it for a minute in a coffee shop.
The worst of these vulnerabilities can happen while your Mac is in sleep mode, but not while it is powered off.
Intel has issued a statement about these threats.
In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.
The real worry here is for Boot Camp users. When in Boot Camp, Apple has the Thunderbolt controller set to security level “none” (SL0), which means a hacker with access to your computer running Boot Camp could easily access the contents of RAM or your hard drive, bypassing the lock screen.
For those running macOS, make sure you have updated to at least macOS 10.12.4. If you have, the practical dangers of the Thunderspy vulnerability are pretty narrow. If your version of macOS is older, a hacker with physical access to your Thunderbolt port could potentially copy contents of RAM or storage.
Even with a fully up-to-date macOS, a hacker could make a Thunderbolt device that copies the legitimate security ID of an officially supported device, and then use it to execute some port-based attacks similar to what hackers can do on USB ports. Those tend to be slow and limited in scope compared to directly accessing the contents of your RAM or storage.
What you should do
Ruytenberg has suggested a number of things Mac users can do to help protect themselves:
Connect only your own Thunderbolt peripherals. Never lend them to anybody.
Avoid leaving your system unattended while powered on, even when screen locked.
Avoid leaving your Thunderbolt peripherals unattended.
Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).
If you use Boot Camp to run Windows or Linux on your Mac, make sure it is powered down whenever it’s unattended. If you’re just running macOS, make sure you have updated to the latest version of macOS, and exercise the same precautions about Thunderbolt devices as you should about USB devices. If you don’t know where a Thunderbolt device has been, don’t plug it into your Mac, and don’t leave your Mac turned on (even if locked) and unattended where people can access it.
Should you be worried?
Most Mac users should not be terribly concerned about this particular security vulnerability. If your macOS install isn’t way out of date and you’re practicing good physical security (don’t leave your Mac turned on and unattended, don’t plug in devices if you don’t know where they’ve been) you don’t have a lot to fear from this avenue of attack. Remote attacks that use Wi-Fi or Bluetooth, or attempt to infect your computer with software downloaded over the Internet, are vastly more common than attacks like these that require physical access to your computer.
Users who run Boot Camp, especially in public places, should be particularly careful. When running Windows or Linux via Boot Camp, the Thunderbolt port on a Mac is more or less wide open. We can probably expect Apple to issue a software update to make Boot Camp more secure in the near future. If you have to use Boot Camp, you should fully shut down your Mac whenever you leave it unattended.