Thunderbolt Flaw Lets Hackers Access a Mac in 5 Minutes

A flaw in the Thunderbolt port on your Mac may allow an attacker to access your data without authorization. A hacker can even break in when the drive is encrypted and the Mac is locked with a password.

This flaw is not limited to a specific machine, according to security researcher Björn Ruytenberg, it affects all machines between 2011 and 2020 that have Thunderbolt or Thunderbolt-compatible USB-C ports.

The vulnerability lies in Intel’s Thunderbolt controller chips. Ruytenberg has discovered seven different vulnerabilities and developed nine methods to exploit them. The attack can be made stealthily, so the user is not aware of the attack, and no traces are left behind.

Users don’t have to install any software or click on a phishing link to open up this vulnerability. It’s a hand-on attack so a hacker does need contact with the computer, but they only need five minutes to break in and access your data, claims Ruytenberg.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. An attacker only needs 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

Not all computers are equally vulnerable. Windows and Linux computers are fully vulnerable and a Mac is fully vulnerable when running Windows or Linux in Bootcamp. Ruytenberg cautions users “to avoid using either operating system until a fix has been issued to address this vulnerability.”

Macs are only partially vulnerable when booted into macOS because of additional security Apple has added to macOS. When booted into macOS, the attack device must fool macOS into thinking it is an Apple-approved Thunderbolt accessory. Once connected to a Mac, the forged device shows up as a legitimate Thunderbolt in the system information app.

Ruytenberg reached out to Apple and Intel with the details of his finding. Intel responded with a quick statement that claims there are protections in place to mitigate this attack. The company also instructs people to avoid an attack by not allowing access to the computer and by avoiding untrusted devices.

In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.