MON r3s Rhein VHS

When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

r3s - Monheim/Rhein
Björn Ruytenberg
Thunderbolt is a computer port for high-speed data transmission between a PC or laptop and other devices. It is found in hundreds of millions of devices worldwide. We present Thunderspy, a new class of vulnerabilities that break all primary security claims for Thunderbolt 1, 2 and 3. We give a live demo of the attacks, and present a tool for determining whether a system is vulnerable. Finally, we conclude our talk demonstrating our new research on designing and implementing protections against Thunderspy.
Thunderbolt is a high-bandwidth interconnect promoted by Intel and included in laptops, desktops, and other systems. Being PCIe-based, Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O. In an "evil maid" DMA attack, where adversaries obtain brief physical access to the victim system, Maartmann-Moe (Inception), Frisk (PCILeech) and others have shown Thunderbolt to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory. In response, Intel introduced "Security Levels", a security architecture designed to enable users to authorize trusted Thunderbolt devices only. To further strengthen device authentication, the system is said to provide "cryptographic authentication of connections" to prevent devices from spoofing user-authorized devices. We present Thunderspy, a series of attacks that break all primary security claims for Thunderbolt 1, 2 and 3. So far, our research has found seven vulnerabilities: inadequate firmware verification schemes, weak device authentication scheme, use of unauthenticated device metadata, downgrade attack using backwards compatibility, use of unauthenticated controller configurations, SPI flash interface deficiencies, and no Thunderbolt security on Boot Camp. Finally, we present nine practical exploitation scenarios. In an "evil maid" threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates. All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact recently introduced standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign. Finally, we conclude our talk demonstrating our on-going research on designing and implementing protections against Thunderspy.

Additional information

Type Talk
Language English

More sessions

12/27/20
MON r3s Rhein VHS
Glitzi
r3s - Monheim/Rhein
Opening RheinRuhrStage R3S
12/27/20
MON r3s Rhein VHS
r3s - Monheim/Rhein
Eine wichtige Komponente von Freifunk ist die Verfügbarkeit von Firmware für viele Geräte. Diese Firmware basiert bei vielen Communities auf [Gluon](https://gluon.readthedocs.io/). Ein wichtiger Schritt vor der Veröffentlichung einer Firmware für eine Community ist das Testen des Gluon mit den eigenen Anpassungen und der eigenen Konfiguration. In diesem Talk wird eine Implementierung für das automatisierte Testen von Gluon-basierter Firmware auf echter Hardware vorgestellt.
12/27/20
MON r3s Rhein VHS
r3s - Monheim/Rhein
We have ended up in a world where UNIX and Windows have taken over, and most people have never experienced anything else. Over the years, though, many other system designs have come and gone, and some of those systems have had neat ideas that were nevertheless not enough to achieve commercial success. We will take you on a tour of a variety of those systems, talking about what makes them special.
12/27/20
MON r3s Rhein VHS
r3s - Monheim/Rhein
Das Internet – es wird gehandelt, sich vernetzt und gelebt. Dass dabei Straftaten passieren, gegen die rechtlich vorgegangen werden kann, ist klar. Beweismittel Nummer 1 sind oft Screenshots, doch diese sind nicht fälschungssicher und auch das deutsche Rechtssystem ist noch nicht endgültig in der Digitalisierung angekommen. Im Rahmen des Vortrags sollen praktische Beispiele für das Manipulationspotenzial aufgezeigt werden und erste Handlungsvorschläge gegeben werde, welche Optionen der ...
12/27/20
MON r3s Rhein VHS
r3s - Monheim/Rhein
Die Computer- und Internetwelt ist ein Platz, an dem alle Generationen vertreten sind. Warum sollten alle Generationen dann nicht auch an der Entwicklung dieses Ortes beteiligt sein. Oftmals ist die Entwicklergemeinschaft in einen bestimmte Altersbereich vertreten heute und jüngere Personen sind außen vor, obwohl die Jugend einer Generation angehört, die praktisch mit dem Internet aufgewachsen ist. Junge Menschen können die Softwareentwicklung in neue Bahnen lenken und andere Sichtweisen mit ...
12/27/20
MON r3s Rhein VHS
Matthias Schmidt
r3s - Monheim/Rhein
Freies Internet von der Nachbarschaftshilfe bis zur flächendekenden Grundversorgung
12/27/20
MON r3s Rhein VHS
r3s - Monheim/Rhein
What happened in these 10 years, as our communities saw courageous hackers and journalists sharing skills and joining forces to expose the lies, corruption and war crimes of the World... and are now witnessing a mass-campaign of intimidation of journalists, publishers and whistleblowers? What did we lose on the way? What is at stake?