ESET Releases Advice on Protecting Against Thunderspy

Written by

Practical steps to defend against the attack vendor Thunderspy, a series of vulnerabilities in the Thunderbolt technology, have been published today by ESET.

Thunderbolt is an interface for allowing high-speed connections between computers and peripherals. Using Thunderspy, attackers potentially change or even remove the security measures of the Thunderbolt interface on a target computer, enabling them to steal data from it.

Despite being first uncovered by Björn Ruytenberg, a computer security researcher, in May 2020, more insights are needed into Thunderspy, with Thunderbolt-based attacks rare and highly targeted in nature.

Aryeh Goretsky, ESET distinguished researcher noted: “While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim.”

Goretsky explained that Thunderbolt-based attacks are generally limited to high profile targets such as business executives, engineers or administrative personnel because they are difficult to conduct; it either requires cloning identities of Thunderbolt devices that are already trusted and allowed by the computer, or even the permanent disablement of Thunderbolt security.

Both of these methods require in-person access to the target computer as well as the tools to disassemble the computer, attach a logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip.

To effectively protect against Thunderspy, Goretsky recommends: “First, prevent any unauthorized access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure.”

These include taking very simple steps. “Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy,” he added.

ESET additionally recommend that reputable security software is used to scan a computer’s UEFI firmware, which is one of the locations where Thunderbolt security information is stored.

What’s hot on Infosecurity Magazine?