Skip to main content

Thunderspy Vulnerabilities Could Allow Data Theft From Encrypted Drives

by Chris Brook on Monday August 22, 2022

Contact Us
Free Demo

Assuming an attacker has physical access to a machine, a new attack could let allow for the access of data on a locked, password protected, and encrypted hard drive.

A handful of flaws in Intel’s Thunderbolt hardware port, present on millions of computers produced since 2011, could open users up to data theft.

A new attack vector dubbed Thunderspy, disclosed Sunday night, could make it possible for an attacker to bypass the login screen of a sleeping or locked Apple, Linux and Windows computer and access data.

It’s important to note that while far-reaching, an attack would require physical access to a machine in order to carry it out, meaning the vector may not fall within every individual’s threat model.

According to Björn Ruytenberg, a computer science master's student at Eindhoven University of Technology in the Netherlands who discovered the flaws, there are seven vulnerabilities in total.

1. Inadequate firmware verification schemes
2. Weak device authentication scheme
3. Use of unauthenticated device metadata
4. Downgrade attack using backwards compatibility
5. Use of unauthenticated controller configurations
6. SPI flash interface deficiencies
7. No Thunderbolt security on Boot Camp

Ruytenberg informed Intel of the vulnerabilities - Intel said it was only aware of two of them - on February 10. The company confirmed the researcher's findings a month later, on March 10 and an additional vulnerability on March 17. He informed Apple of the last vulnerability on April 17.

In one video demonstrating a proof of concept, Rutenberg has to unscrew the backplate of a Thinkpad and attach a SPI programmer, and a Thunderbolt peripheral to dismantle the machine's security settings. Ruytenberg said on Twitter that another attack avenue could involve getting access to a device and cloning its identity, something he says would only take five minutes.

Ruytenberg said he's workshopped nine realistic scenarios in which an attacker could exploit the vulnerability to get access to a system and says its "stealth, meaning that you cannot find any traces of the attack." While it can be argued that if interrupted, a user might think something is awry if their laptop is cracked open, if granted enough time, the attack sounds theoretical.

Apple Macs running macOS are only “partially affected” by Thunderspy. Instead they’re more likely to be vulnerable to an attack like BadUSB, an attack from 2014 that relies on exploiting the firmware that controls how devices with USB drives operate. Retina MacBooks are not affected.


Thunderbolt, a proprietary connectivity standard, has had its fair share of issues over the years. Last year researchers demonstrated how, by taking advantage of direct-memory access (DMA) that Thunderbolt accessories are granted, an attack called Thunderclap – a collection of vulnerabilities - could leave a machine vulnerable. That attack could be exploited by a USB Type-C connector, DisplayPort connector, compromised PCI Express peripherals, plug-in card or chip soldered to the motherboard.

Ruytenberg’s attack is essentially an Evil Maid-style attack, a technique popularized back in 2009 by Joanna Rutkowska, a Polish computer security researcher, that involves a physical attack on a computing device without the user's knowledge. At the time Rutkowska published a tool demonstrating how using an attacker could use a USB tool to defeat full disk encryption. The name references the fact that attacks like this are "plug-and-exploit," only require a few minutes, and could be carried out by a nefarious maid.

Intel on Sunday took umbrage with the idea Thunderspy is a new vulnerability and claims the underlying vulnerability was addressed in operating systems with the implementation of Kernel Direct Memory Access last year. Instead the company claims Ruytenberg just used a "a customized peripheral device on systems that did not have these mitigations enabled.” As WIRED, one of the first security publications to write about Thunderspy, notes, not every machine has Kernel DMA present; it's nowhere to be found on machines released before 2019.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.