0

Could these two attack scenarios exploit the recently publicized vulnerability?

  • Using a Thunderbolt adapter like an USB-to-Thunderbolt adapter on a computer without any Thunderbolt port
  • Temporarily replacing hardware (mainboard) with hardware that has Intel's Thunderbolt port

And if one or both would work: what would be a reliable way to protect against this on such computers (Thunderbolt-enabled or Thunderbolt not disabled and hardware-replaceable)?

mYnDstrEAm
  • 319
  • 2
  • 17

1 Answers1

1

Using a Thunderbolt adapter like an USB-to-Thunderbolt adapter on a computer without any Thunderbolt port

Probably not. The attack relies on the Thunderbolt controller's access to internal system buses, combined with custom firmware that lets it read and write data from memory at will. Going through another bus, such as USB, will probably break this chain.

Temporarily replacing hardware (mainboard) with hardware that has Intel's Thunderbolt port

If you can convince anyone to use your hardware, the game is up anyway. What stops you from virtualizing the OS they want to run? This would give you access to read the memory at will, purely trough software. This is often referred to as Blue Pill rootkit, after the Matrix movies.

Note that if the TPM is used as part of the protection scheme, the TPM is located on the mother board, and swapping this out will lead to a blank TPM.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • It wouldn't necessarily require convincing anybody. Disk encryption is stopping that among other things. How could it be prevented and how would TPM, if present on the mainboard in use, help with that? – mYnDstrEAm May 24 '20 at 16:06
  • @mYnDstrEAm disk encryption alone doesn't matter. A TPM is a component on the main board that can contain cryptographic keys, and is in theory uncopyable - thus not transferable to new hardware. Disk encryption that does not use hardware secrets, on the other hand, would not care about the change of hardware. – vidarlo May 24 '20 at 16:28