The latest “branded” vulnerability that’s getting hysterical coverage is “Thunderspy”, in which all your data are belong to us if your computer has a Thunderbolt port. In less than five minutes. With only $400 in off-the-shelf hardware.

Except the details of the story contradict that. First is the assumption that your powered-down computer is available to the attacker for long enough that they can crack the case and reflash the Thunderbolt port’s firmware; five minutes on a desktop, maybe, but most laptops? A quick look at the sites that crack them open and test for repairability suggests that it’s not going to be as easy as the claimed “unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate”.

Second is the assumption that the attacker will be able to return when your computer is sleeping and exfiltrate your data through the compromised port. Admittedly, Thunderbolt is fast at data transfer, but how many trips do you have to make before you find it in the right state?

The mitigation strategy is simply “power down or hibernate”. Even after compromising your ports, physical access to a powered-up or sleeping computer is required to access your encrypted data. (if your data wasn’t encrypted, they didn’t need a hardware hack to steal it in the first place)

The researcher branding agent does offer a second scenario that’s at least plausible: find a not-currently-plugged-in Thunderbolt peripheral (monitor, etc) that has previously been connected to your computer, steal the 64-bit ID code that was used to establish a trust arrangement, flash that to a naughty data-exfiltration device, and then plug it into your awake-or-sleeping computer.

Mitigation strategy? “power down or hibernate”.

Or use a Mac, which apparently is only vulnerable if it’s been rebooted into Windows with Boot Camp and then put to sleep.

So, if you care enough about security to fully encrypt your laptop, but care so little about security that you casually leave it running unattended or just put it to sleep for convenience, and you don’t notice when it was power-cycled while you were out of the room, then this can be used to steal all your data.

That pretty much restricts the vulnerable population to senior executives at tech companies. The rest of us are safe.

(and, yes, state actors can easily accomplish this, but we already knew that they were compromising unattended phones and laptops to spy on foreign executives and politicians, especially in Corona-chan’s motherland)

Comments via Isso

Markdown formatting and simple HTML accepted.

Sometimes you have to double-click to enter text in the form (interaction between Isso and Bootstrap?). Tab is more reliable.