July 30, 2020

Apple’s Thunderbolt is being targeted by cyberattacks. Here’s how to stop them

By Ellen Daniel

Cybersecurity company ESET has published guidance on how to protect against cyberattacks targeting Apple’s Thunderbolt hardware.

Thunderbolt is a hardware interface developed by Intel and Apple that allows external secondary devices to be connected to a computer. Researchers have discovered an attack method that targets this interface.

Named Thunderspy, the attack vector was discovered by computer security researcher Björn Ruytenberg in May 2020. Using Thunderspy, attackers can change Thunderbolt’s security measures, allowing them to steal data from the computer even if disk encryption is used or the computer is locked.

“While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim,” points out Aryeh Goretsky, ESET Distinguished Researcher.

Although Thunderbolt-based attacks are rare, ESET has set out practical tips to defend against Thunderspy in an article called “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe”.

Goretsky explains that there are two types of attack targeting Thunderbolt, the first being cloning device identities that are trusted by the target computer, and the second being permanently disabling the security.

“The cloning attack is like thieves who steal a key and copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of bricking a chip. In this case, permanently disabling Thunderbolt’s security levels and write-protecting the changes so they cannot be undone.”

These types of attack are sometimes called “evil maid attacks” as they require the attacker to interact with the device in person. Because of this, Thunderspy attacks usually only affect high-value targets, and may be carried out by nation-state intelligence or law enforcement agencies.

In order to protect against this type of physical attack, Goretsky said:

“First, prevent any unauthorised access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure.

“Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy.”

Goretsky also recommends users install security software that can scan the computer’s UEFI firmware, where Thunderbolt security information is stored.


Read more: Nordpass: Ten billion user credentials left exposed in unsecured databases.


Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,