New 'unpatchable' Thunderbolt vulnerability leaves millions of PCs unprotected

If you have an older Windows or Linux PC, a hacker just needs a screwdriver and a few minutes alone with the computer to bypass all your security and gain entry to the system. That’s what new research out of the Eindhoven University of Technology says: physical access hacking can be completed in just a few minutes on computers with Intel’s Thunderbolt port.

Björn Ruytenberg, a researcher at Eindhoven University of Technology, published details of the hacking methodology, which he’s dubbed the “Thunderspy.” The technique allows hackers to bypass the login screen of a sleeping or locked computer, thereby gaining access to anything contained on the hard drive.

Ruytenberg says there’s no easy way to avoid the hack other than disabling the Thunderbolt port altogether.

The Thunderspy hack affects most Windows and Linux PCs built before 2019. Some manufacturers have already taken notice of Ruytenberg’s research and are taking this time to remind customers that the best thing to do is just not let anyone you don’t know near your computer.

How does it work? — Thunderspy isn’t the kind of hack where someone can just walk up to your computer, plug in a device, and walk away. The hack requires some quick hardware dismantling to access the Thunderbolt controller, which is then attached to a programmer device that’s able to swiftly rewrite the firmware of the chip, turning off all its security settings. Then it’s as easy as logging in and taking whatever you want.

Ruytenberg’s setup here is pretty complex and wouldn’t exactly be portable, but he says a better-funded hacker could easily build the whole thing into one device for about $10,000.

So there’s...just no way to stop this, huh? — Yeah, Ruytenberg’s research is pretty disheartening. It makes it clear that the Thunderspy hack could be carried out even if you’ve taken security measures like encrypting your hard drive or setting your Thunderbolt port’s settings to their maximums. No software patch is going to fix this, either.

Many newer PCs are secure against the attack, because Intel created a security mechanism called Kernel Direct Memory Access (DMA) Protection to increase Thunderbolt security in 2019. But not all machines produced after 2019 have the Kernel DMA protection, either — in fact, no Dell computers have it at all.

Dell and other manufacturers haven’t exactly been helpful here, either. Dell said in a statement that “customers concerned about these threats should follow security best practices,” while Lenovo said it’s “assessing this new research” and will “communicate with customers as appropriate. Intel was made aware of the problem three months ago and, in response, the company reiterated the existence of its Kernel DMA Protections, which only exists in newer computers.

You’re probably fine — Ruytenberg’s research is discouraging, to say the least. There’s no way to patch the Thunderbolt controller, which means you’re pretty much shit out of luck in the security department if you own a computer made before 2019.

If there’s any good news to be found here, it’s that the attack can’t be carried out unless someone is physically present to open up your computer and break in. And in most computers the Thunderbolt port can be disabled entirely in the system’s BIOS, which makes it impossible for the attack to be completed.

With news of this vulnerability comes the reminder that you should only leave your computer alone with trusted individuals. Sure, it’s unlikely this will happen to you — but better safe than sorry.