Microsoft has now joined Intel in confirming a newly reported security vulnerability with Thunderbolt ports, one that enables an attacker with physical access to a PC to modify the port\u2019s controller firmware, disabling its security. As I reported last week, almost all Windows PCs with Thunderbolt ports are vulnerable, except a few from last year that shipped with Kernel DMA protection enabled.<\/p>\n\n\n\n
This new security threat has been dubbed \u201cThunderspy\u201d by Bj\u00f6rn Ruytenberg, the Eindhoven University of Technology researcher who discovered and disclosed it. Ruytenberg warns that despite locking or suspending a PC, setting up a Secure Boot and strong system passwords, and enabling disk encryption, \u201call an attacker needs is five minutes alone with the computer\u201d to compromise a machine.<\/p>\n\n\n\n
Such physical attacks on computers are complex, high-risk and thankfully rare. But they do happen. A physical compromise such as this is nicknamed an \u201cevil maid\u201d attack\u2014the idea being that your machine is targeted when you\u2019re staying in a hotel and away from your room, or when the overnight cleaning crew come to blitz your office. An attacker needs a few undisturbed minutes with no eyes-on.<\/p>\n\n\n\n
If you\u2019re a target, this will happen when you\u2019re down at breakfast, out to dinner or using the gym in your hotel. \u201cI have even heard of someone finding all the screws from his laptop on the table top after he took it out from his hotel safe,\u201d former British intel officer Philip Ingram told me. This is why security professionals leave a \u201cdo not disturb\u201d sign on their hotel room doors even when they\u2019re not inside\u2014you get your room serviced by calling down and asking for it to be done at a time of your choosing. And you have your devices with you while it\u2019s being done.<\/p>\n\n\n\n
Now Microsoft has confirmed the risk that \u201can attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.\u201d The vulnerability is in hardware, and so cannot be patched. According to Microsoft, someone with physical access to the device \u201ccould sign in and exfiltrate data or install malicious software.\u201d Microsoft\u2019s advice to \u201cstay ahead of advanced data theft\u201d is to buy a new PC.<\/p>\n\n\n\n
Not just any PC, of course, but one of their newly minted \u201csecured-core PCs.\u201d These have been around since late last year and come with all the security bells and whistles enabled in hardware and firmware, \u201cmitigating Thunderspy and any similar attacks that rely on malicious DMA.\u201d Intel told me that a Thunderspy attack \u201ccould not be successfully demonstrated on systems with Kernel DMA protection,\u201d a feature enabled by default on Microsoft\u2019s Secured-core PCs.<\/p>\n\n\n\n
As Microsoft explains, \u201ceven if an attacker was able to copy malicious Thunderbolt firmware to a device, the Kernel DMA protection on a Secured-core PC would prevent any accesses over the Thunderbolt port unless the attacker gains the user\u2019s password… significantly raising the degree of difficulty.\u201d<\/p>\n\n\n\n
There is now a range of Secured-core PCs available, aimed at business users, likely those with a heightened sense of security awareness, who travel regularly (albeit not just at the moment), and who have valuable data on their machines. This isn\u2019t just spooks\u2014business leaders, VIPs, negotiators, politicians, anyone with sensitive data who travels and leaves their PC out of sight for periods of time.<\/p>\n\n\n\n
The alternative mitigation to a locked-down machine, according to Ingram, is worse. \u201cTake a burner device with only the data you need for those meetings on a separate USB. Never connect it to any network when you return home and only use it for travel to that country. If you ever leave it unattended assume the hardware has been compromised. If you have been subject to extended searches at an airport and have lost sight of your IT, assume it has been compromised.\u201d You get the point.<\/p>\n\n\n\n
As security vulnerabilities go, Thunderspy is pretty niche\u2014an issue on a massive scale, but one which realistically only puts a very small percentage of users at risk. That said, it is a security flaw and it does leave PCs open to compromise. With that in mind, plus the fact this is now in the public domain, I\u2019m sure many users will look at the availability of Kernel DMA protection when they next trade-up.<\/p>\n","protected":false},"excerpt":{"rendered":"
Microsoft has now joined Intel in confirming a newly reported security vulnerability with Thunderbolt ports, one that enables an attacker with physical access to a PC to modify the port\u2019s controller firmware, disabling its security. As I reported last week, almost all Windows PCs with Thunderbolt ports are vulnerable, except a few from last year that shipped … Continue reading “Microsoft Confirms Serious New Security Problem For Windows 10 Users”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[92,93],"class_list":["post-1795","post","type-post","status-publish","format-standard","hentry","category-systems-and-procedures","tag-microsoft","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/posts\/1795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/comments?post=1795"}],"version-history":[{"count":1,"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/posts\/1795\/revisions"}],"predecessor-version":[{"id":1796,"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/posts\/1795\/revisions\/1796"}],"wp:attachment":[{"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/media?parent=1795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/categories?post=1795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tech-battery.com\/batteriesblog\/wp-json\/wp\/v2\/tags?post=1795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}