Any PC produced before 2019 is vulnerable to “Thunderspy” attacks

Björn Ruytenberg, a security researcher at the Eindhoven University of Technology, revealed that all PCs manufactured before 2019 may be hacked due to defects in commonly used Thunderbolt ports.

Even if the PC is in sleep mode or locked, this attack called Thunderspy can read and copy all data from the user’s PC. In addition, it can steal data from encrypted drives.

Belkin shows off an early hand made a prototype of a Thunderbolt Express Dock at Intel’s IDF 2011 showcase

Thunderspy belongs to the category of evil-maid attacks, which means that it requires physical access to the device to attack it, so it is less utilized than other attacks that can be performed remotely. But on the other hand, Thunderspy is still a stealth attack. After the successful execution of the invasion, the criminals will leave almost no trace of exploitation.

In fact, as early as February 2019, a group of security researchers discovered a related intrusion event Thunderclap similar to Thunderspy. In the same year, Intel released a security mechanism to prevent drive-by Direct Memory Access (DMA) attacks, called Kernel Direct Memory Access Protection.

Ruytenberg pointed out that all Thunderbolt-equipped devices shipped between 2011 and 2020 are vulnerable. Devices that have delivered kernel DMA protection since 2019 are also vulnerable to attack to some extent.

Thunderspy vulnerabilities cannot be fixed in the software, which will affect future standards such as USB 4 and Thunderbolt 4, and will eventually require a chip redesign.