The Internet is abuzz with some research work by a MSc student named Björn Ruytenberg (Eindhoven University). He’s discovered that Thunderbolt 3 ports can easily be hacked, if an attacker gets “5 minutes alone with the computer, a screwdriver, and some easily portable hardware.” He has published a research paper on his work “Breaking Thunderbolt Protocol Security: Vulnerability Report,” and he’s also put up the website whose banner makes the intro graphic for this story at https://thunderspy.io. There, you can download versions of his Spycheck software for Windows or Linux.
The bottom line is if you have a PC or laptop with a Thunderbolt 3 port, you’re probably exposed to this vulnerability, especially if the machine was built in 2018 or earlier. Newer versions of Thunderbolt may have partial protection, as explained on his website and in the research paper. Here’s what the Windows version of his software checker looks like on my production PC before I’ve told it what kind of port to check for me (this particular PC has no Thunderbolt ports, so it’s purely for screencap purposes in this case):
The tool can check USB-C or DisplayPort Mini ports, with or without Thunderbolt capabilities. 3 of my 4 newer Lenovo laptops are vulnerable to this exploit.
[Click image for full-sized view.]
Why Say: Physical Security Reigns Supreme?
Mr. Ruytenberg’s premise is based on 5 minutes alone with the PC and a set of tools of one’s choosing. There are enough Windows cracking tools out there, that 5 minutes alone with a PC and those tools could render it totally pwned anyway. Hence my statement, which means that you must control physical access to any PC to keep it secure, whether it has any Thunderbolt ports or not. This is an interesting piece of work, and it’s good information to know, but it’s making a new crisis out of what has been known to be a BIG PROBLEM for years and years, from a security standpoint.
Mr. Ruytenberg does make the point that one shouldn’t lend Thunderbolt hardware (such as docks or port multipliers) to untrusted third parties because they can hack its firmware to foist the same backdoors that hacking a PC’s built-in Thunderbolt hardware can also leave open. Microsoft published information about Thunderbolt 3 vulnerabilities along these lines back in March, 2019. The real moral of the story is “Don’t let anybody gain unsupervised access to your PCs and peripherals.” This is not exactly news, but it does bear repeating (and remembering) from time to time.
In other words: Physical security reigns supreme. Be sure to maintain physical security on all your PCs and peripherals (this goes for other, non-digital valuables, too). ‘Nuff said.
Author: Ed Tittel
Ed Tittel is a 30-plus-year computer industry veteran. He’s a Princeton and multiple University of Texas graduate who’s worked in IT since 1981 when he started his first programming job. Over the past three decades he’s also worked as a manager, technical evangelist, consultant, trainer, and an expert witness. See his professional bio for all the details.