back to article Incredible how you can steal data via Thunderbolt once you've taken the PC apart, attached a flash programmer, rewritten the firmware...

It's possible to extract data from a computer via its Thunderbolt port – once you've got the case off, plugged in a flash programmer, and reprogrammed the controller's firmware to grant access. This technique, dubbed Thunderspy, can be exploited even if the computer is locked or asleep, and can bypass disk encryption, and any …

  1. jake Silver badge

    Who expects a PEE CEE to be secure in the first place?

    Is anyone out there really that daft?

    (That's rhetorical, in case you were wondering.)

  2. HildyJ Silver badge

    more of a neat trick than infosec Armageddon

    Neat article, neat trick, but way too Mission Impossible for real life. I'll file this with the transmitting data via fan noise article.

    Still, cheers to the boffins who figured this out. Although they do seem to have a lot of time on their hands. Probably in self quarantine.

    1. Snake Silver badge

      Re: more of a neat trick than infosec Armageddon

      It's quite serious if you take it from the perspective of state-run secrets, confiscations or political actions: if you are a political dissident, or arrested even on a trumped-up charge, and you thought that your password/encrypted data could not be used against you because they never will be able to get to it, this changes that outcome.

      Corporate espionage on a stolen, yet encrypted, laptop? Done. Don't agree with our political agenda, refused boarding of your plane, and fishing for "evidence" on your locked laptop? Done. Even a simply confiscation of an attorney's, or an accountant's, records, with just a twinkle of a suspicion of fraud, but the prosecutor can't get the courts to agree to a full warrant? Done, and done (and fight about it in the courts but that's later, hopefully after that nice "guilty" verdict that sounds great in the news and on your resume as you run for higher office).

      This is horrible news for anyone who used BIOS passwords or encryption in the first place.

      1. doublelayer Silver badge

        Re: more of a neat trick than infosec Armageddon

        Well, sort of. However, it does involve quite a bit of work to access the data, which means that it won't get used all that often. If it's a government doing the accessing, you end up in XKCD 538 territory. Similarly, it won't work unless the person has put the computer to sleep while the attacker has access to it. If it has been shut down or the battery died, the exploit produces nothing. So this also limits the viability of using that attack after the user has run away. The attack is also only needed if the user has encrypted their disks but hasn't done anything else to protect the data--if they also encrypt the file, the attack cannot get the cleartext of that file or the password, and if the user didn't encrypt the disk, then there is no need to do this.

        While it's not useless, it only works in a relatively small number of cases, and in many of those cases, there is a more direct method of getting access. It's a good reminder to those who are concerned about an attacker of that level of skill and determination to avoid suspending to memory, but that has been known for some time.

        1. Snake Silver badge


          "However, it does involve quite a bit of work to access the data,"

          Just the opposite! Did anybody beyond myself actually read the white paper? I'll quote said paper:

          "All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware."

          Or did you watch the video??

          5 minutes, you're DONE. The attack is almost completely automated: lift the back, attach an attack computer, reprogram, attach a Thunderbolt attack device, done.

          The researchers even provided 2 tools they developed to assist the crack!

          This isn't even difficult. And a *lot* of people use Sleep mode whilst traveling; for example, using the computer whilst awaiting boarding in the airport, then going into Sleep mode to awaken back on the plane.

          1. doublelayer Silver badge

            Re: @Doublelayer

            You're leaving out some steps:

            Steal laptop from user: If they're in the airport, they likely still have the machine right next to them. Good luck with that. Stealing it with enough time to do the rest of the steps and return it unnoticed usually requires them to leave it somewhere from where it can be lifted.

            Dismantle laptop: This step is fast. Well, it's fast for my computer as long as you have the correct screwdriver, because you just have to undo all the screws and lift off the backplate. For a computer which uses a lot more glue, it'll be much slower to get at the thunderbolt interface pads.

            Attach reprogrammer: This needs to be a reprogrammer that already has the code for this specific Thunderbolt chipset and is wired properly for the interface in the computer. So it's not one-size-fits-all. A criminal can't just carry a simple box that lets them do it to every computer, but a prepared attacker with knowledge of the computer involved can use it.

            Upload code: That's fast too.

            Connect memory access device to port: This one can be the same device for all victim machines.

            Copy memory: Yes, copy memory. A lot of memory. I'm currently using about three gigabytes, and I don't even have much running. Sometimes I'm using eleven gigabytes because I've got VMs running. If you're after sensitive stuff, you want to catch me then because the VMs contain the sensitive information. You aren't going to copy eleven gigabytes onto your portable system in five minutes. Thunderbolt is fast, but you need to also factor in the disk speed of the thing you're righting to, the bus speed of your attack box, any processing you need to do while reading, any delays in getting the memory accessed by the laptop's chipset, and on and on. That takes time. Once again, even if you did manage to steal it from someone in an airport, you need to return it to them quickly. This will add potentially long delays.

            Reflash original firmware: This may be optional if your replacement firmware can still operate correctly, but if it doesn't, you have to put back the original code so they won't notice something's wrong as soon as they plug in a different peripheral.

            Reassemble computer: Fast for mine. Good luck with some others. See IFixit for details.

            Clean evidence of tampering from computer: Oh, and nobody had better have seen you disassembling a laptop in another airport area, because I'm guessing they'd get suspicious about what you're doing there. Having security called to verify you aren't turning a laptop battery into an explosive device wouldn't be great for you.

            Return computer to the place where you left it: The user needs to not have noticed that it was ever missing. They also need to not see you put it back. Have fun.

            Again, it's not useless. It's not so easy as the paper makes out, though, because they only timed how long it takes to attach an exploit device and prove the exploit successful, not how long it takes from theft to replacement with useful usage of exploit in between.

            1. HildyJ Silver badge

              Re: @Doublelayer

              +1 @Doublelayer

              For anyone seriously worried about this, epoxy the screws to case.

      2. Evil Auditor Silver badge

        Re: more of a neat trick than infosec Armageddon

        ....stolen, yet encrypted, laptop?

        Shutting down the laptop would effectively prevent this attack.

        1. Dave 126 Silver badge

          Re: more of a neat trick than infosec Armageddon

          It's common practice for law agencies, when planning to arrest someone on cyber-related charges, to do so when they are at their computer. This attack vector might be a handy tool for them in some situations - certainly it seems less faff than cryogenically freezing the RAM.

      3. big_D Silver badge

        Re: more of a neat trick than infosec Armageddon

        If you fall into the dissident category or other high risk user, if your machine has been compromised (i.e. outside of your sight for any period of time), you'll either use it for banal things or you'll physically destroy it and get another device.

  3. mevets


    Are nipping at the heels of circa 2000 MicroSoft. Bad idea layered upon bad idea, holes plugged with inscrutable goo, no traceability, vendors sidelined by the whims of their suppliers.

    When people say ARM/RISC-V/... will never become mainstream serious, look to how intel completely lost their mind in a bid to shutdown competition. In the unlikely event that there was ever a full investigation of everything from Spectre forward, I am sure you will find a circa-1998 internal email saying something along the lines of "... and if we just ignore the privacy violation and speculatively treat the first level cache as a virtually indexed cache, we will hit 90% of mips/sparc/dec/... ", each of whom knowingly did the right thing.

    At a point, it doesn't matter if the intel X is 1000x the ARM Y If the intel X is only suitable for hobby computers, it will inevitably find its niche.

    1. Anonymous Coward
      Anonymous Coward

      Re: intel

      "and if we just ignore the protection/privillege violation and speculatively treat the first level cache as a virtually indexed cache,"

      That writeup's out there already. I wish I could remember where - it's not widely publicised, for obvious reasons. But here is a gross oversimplification of what I remember.

      Look at x86 instructions and protection/privilege architecture (and typical system architecture) with a view to making the perrformance competitive. Preserving safety and security is not a goal.

      Solution: Translate the x86 instructions (CISC, slow, awkward) to groups of RISC-like instructions on the fly. Any attributes of the executing code and of the data being accessed which are not contributing to getting the right answer quicker can be discarded as they're too troublesome and anyway Marketing don't need them.

      So, access modes, exception handling, logical vs virtual addressing in caches, etc all go out of the Window.

      As does any concept of secure (or indeed safe) code.

      Some other readers must have seen the real writeups. Where was it?

      Intel. The x86 company. Sell while you can.

  4. Detective Emil

    Pious hope

    El Reg: Before anyone blows up these findings

    The Independent: Major Computer Bug Means Millions Could Be At Risk Of Hack

  5. Danny Boyd

    Just one of multitude...

    ...ways you are screwed if well-equipped hardware hackers get their hands on your machine. And who leaves the machine unattended running or sleeping (i.e., wasting the battery) for a long time anyway?

    1. getHandle

      Re: Just one of multitude...

      Sales guys...

      1. Anonymous Coward
        Anonymous Coward

        Re: Just one of multitude...

        Developers, sysadmins... most machine at my company could be easily attacked by an "evil maid" this way. I'm one of the few who shutdowns everything before leaving the office.

  6. Michael H.F. Wilkinson Silver badge

    A reason for all the glue?

    I almost expect hardware manufacturers use this exploit as an excuse to for the use of glue in their laptops. Cheap cutting of corners during manufacture? Mais non!! We were thinking about security!!! Honest!!!!

    Oh dear. I feel an extra exclamation mark coming up!!!!!

    I'd better be going. The one with "Maskerade" in the pocket, please.

    1. Dave 126 Silver badge

      Re: A reason for all the glue?

      Glue doesn't save a lot of money over screws during manufacture because jigs and machines can be set up to do it. However, during end of life dismantling, glue saves a lot of human labor - and thus cost. And you don't end up with steel screws contaminating recovered Aluminium.

      A pile of glued devices can be placed on a conveyor through an oven and then easily pulled apart afterwards. I've just counted twenty screws in the bottom of my old style laptop, heavens knows how many more inside - or how long it would take someone to reduce it to component parts.

      1. TechHeadToo

        Re: A reason for all the glue?


        I thought they just pass them through a mincer and recover the bits they want. Ferrous to the magnet, gold from the bath of mercury...

    2. Mike Moyle Silver badge

      Re: A reason for all the glue?

      I was thinking this exact thing -- It seemed to me that glue assembly in super-thin/small form factors meant you probably couldn't fit the requisite bits inside, anyway. It's likely to be your big, easily-repairable, modular machines that would be at most risk.

  7. revenant

    Most people wouldn't be surprised by this

    If countless films and NCIS-type television dramas are to be believed, all it takes is a usb drive plugged into a port and a few minutes of time, to suck out all of a PC's information.

    1. Ottman001

      Re: Most people wouldn't be surprised by this

      Data transfer rates are governed by the nearest red 7 segment display counting down to 0.

      1. Yet Another Anonymous coward Silver badge

        Re: Most people wouldn't be surprised by this

        And large sums of money take longer to transfer

      2. Claptrap314 Silver badge

        Re: Most people wouldn't be surprised by this

        Shall we play a game?

    2. Afernie

      Re: Most people wouldn't be surprised by this

      As evidenced by the impeccable research carried out to craft this plausible scene, NCIS is practically a hacking documentary.

  8. anthonyhegedus Silver badge

    Even if you did have your laptop stolen, and you'd left it in sleep mode, the miscreant couldn't read your hard disk, only the contents of RAM, or is that the point - that the miscreant could then find the keys to decrypt the HD? Did I miss something?

    1. Yet Another Anonymous coward Silver badge

      Thunderbolt has access to ram and the hdd. You could use this attack to copy the keys out of ram, copy the encrypted raw disk blocks and then use the keys to decrypt it later

  9. Anonymous Coward
    Anonymous Coward

    Apple Kit Safe?

    Does the fact that an attack means opening up the PC/laptop means iMacs and MacBooks are reasonably safe - unless the attacker gets a job in an Apple store? The criticism of being difficult to repair or modify becomes an advantage :)

    PS Rhetoric question, with tongue firmly in cheek!

    1. DJV Silver badge

      Re: Apple Kit Safe?

      Or if the attacker has been keeping up to date with iFixit teardowns.

  10. Sandtitz Silver badge

    So, how many theoretical physical attacks are there?

    This all boils down how feasible it is to re-write the Thunderbolt firmware (or more exactly, the NVRAM where the approved devices are listed) Apparently not too hard. And also obtaining a TB device that can be commanded to read or modify RAM.

    1. What's to stop an attacker inserting data-stealing PCIe cards in office desktops or servers? Design the card as hot-pluggable and presto! Direct Memory Access. Alternatively PCIe M.2 cards can be used. Or hot-plug NVME slots. No need for the 're-write firmware' portion, unless the the PCIe/M.2 slots are disabled. Typically all slots are enabled at the factory.

    2. Attach a data-stealing device between CPU and memory.

    3. Attach a data-stealing device between CPU and PCIe, or any other bus with DMA.

    4. Attach a keylogger into straight into USB traces on the mobo.

    5. Monitor for "micro changes in air density" (Alien style) at the air intake to determine computer operation.

    With advancing technology, any of those are becoming more and more feasible to do. Except the last one. Maybe.

  11. LeoP

    This is just another example ...

    ... of "physical access = complete compromise modulo time".

    And this tends to be even cheaper and easier with "Smartphones" (i.e. smallish pocket computers) than with the PC counterparts - and I know quite a lot of people, who use the former to unlock the latter.

    Some sanity might just help: This document is important? Encrypt it on a file level and PLEASE close it before letting you computer unsupervised.

    On the opposit end of the spectrum, they might have all my "photos" folder. Well, the Memsahib might take issue with that, so not really all.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is just another example ...

      Yep I think we should all pretty much assume that if someone can get access to our computer (or phone etc.) without our knowledge for a bit, it can be compromised and its data accessed. Now in practice that perhaps isn't true in all cases, but when that's the case it's a bonus and not something you should bet everything on.

      I wouldn't rely on a fully shut down computer either. There are potential attacks that might involve swapping out the CPU (at least on x86 hardware where encryption keys are not kept inside the CPU) or even the RAM could be swapped out with DIMMs that include an extra chip with a small CPU and permanent storage that could potentially locate and save a copy of the desired info for later retrieval (stuff like AMD's memory encryption could prevent this, so the window may be closing on this)

  12. Sebastian Brosig

    Case switch?

    Oldskool laptops have case screws under the battery, so the motherboard will always be unpowered when opening the case. We'll depending on the charger socket interfering with opening I guess but that can be achieved. I wonder if there is any legitimate need for the laptop to stay on while open, or should the machine have a simple switch that powers it off when you open the box?

  13. fullofit

    all it takes is a bit of glitter to fix this

    pretty easy fix... a couple drops of glitter nail polish as demonstrated in the internet storm center's video on youtube. low tech "fix" for a high tech problem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021