Light Dark
May 12, 2020 By Shane Schick 2 min read

Millions of Windows and Linux-based devices could be hit by what researchers call Thunderspy attacks, where flaws in Thunderport interfaces are exploited in a matter of minutes.

Initially discovered by a student at the Eindhoven University of Technology in the Netherlands, the attacks can be accomplished with minimal gear from threat actors. This includes some portable hardware and a screwdriver, although attackers would need physical access to a Thunderport-equipped machine as well.

Developed by Apple and Intel, Thunderport was intended to let people use a single connector for video and charging peripherals. The Thunderspy attacks exploit what the researcher describes as flaws in the technology’s underlying security protocols.

Inside a Thunderspy Attack

In a proof of concept that was captured on video, the researcher used a commonly available Serial Peripheral Interface (SPI) programmer device that exchanges data between microcontrollers and other hardware.

After attaching the SPI programmer to an SOP8 clip on the bottom of a laptop with a Thunderbolt port, the researcher was able to turn off device settings designed to protect its data from third parties by rewriting the firmware. This meant he was able to log in without a password to the laptop in less than five minutes, with equipment that only cost about $400.

While many cyberattacks involve some kind of phishing campaign to fool users into clicking on a malicious link, Thunderspy happens without leaving a visible trace afterward, the researcher said. It can also work whether or not a company admin has used strong passwords, full disk encryption or even if the device has been locked by the user.

This is not the first time Thunderbolt has raised IT security concerns. Last year, a researcher published findings about another vulnerability, dubbed Thunderclap, which took advantage of the technology’s direct memory access (DMA).

How to Prevent a Thunderspy Exploit

Intel responded to the Thunderspy research in a blog post that suggested its DMA protection would mitigate much of the risk. Other preventive measures include disabling the BIOS connection to Thunderbolt ports.

This may be yet another reason to consider a unified endpoint management (UEM) solution to ensure you’re covered for all potential security threats and not simply traditional malware.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature