Cybersecurity company ESET has published guidance on how to protect against cyberattacks targeting Apple’s Thunderbolt hardware.
Thunderbolt is a hardware interface developed by Intel and Apple that allows external secondary devices to be connected to a computer. Researchers have discovered an attack method that targets this interface.
Named Thunderspy, the attack vector was discovered by computer security researcher Björn Ruytenberg in May 2020. Using Thunderspy, attackers can change Thunderbolt’s security measures, allowing them to steal data from the computer even if disk encryption is used or the computer is locked.
“While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim,” points out Aryeh Goretsky, ESET Distinguished Researcher.
Although Thunderbolt-based attacks are rare, ESET has set out practical tips to defend against Thunderspy in an article called “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe”.
Goretsky explains that there are two types of attack targeting Thunderbolt, the first being cloning device identities that are trusted by the target computer, and the second being permanently disabling the security.
“The cloning attack is like thieves who steal a key and copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of bricking a chip. In this case, permanently disabling Thunderbolt’s security levels and write-protecting the changes so they cannot be undone.”
These types of attack are sometimes called “evil maid attacks” as they require the attacker to interact with the device in person. Because of this, Thunderspy attacks usually only affect high-value targets, and may be carried out by nation-state intelligence or law enforcement agencies.
In order to protect against this type of physical attack, Goretsky said:
“First, prevent any unauthorised access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure.
“Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy.”
Goretsky also recommends users install security software that can scan the computer’s UEFI firmware, where Thunderbolt security information is stored.