Security News > 2020 > May > Incredible how you can steal data via Thunderbolt once you've taken the PC apart, attached a flash programmer, rewritten the firmware...

It's possible to extract data from a computer via its Thunderbolt port - once you've got the case off, plugged in a flash programmer, and reprogrammed the controller's firmware to grant access.

A miscreant would need to have physical access to the machine long enough to unscrew the case, attach an SPI flash programmer with an SOP8 clip to rewrite the Thunderbolt port controller's firmware to unlock access, and then attach a device to the interface to copy data via PCIe and DMA through the port, and then, if necessary, flash back the original firmware and fit the computer back together.

It's all possible because Intel's Thunderbolt controllers have a concept of security levels, which govern which devices are authorized to access the interface port, and that it is possible to rewrite the chipset firmware to lower the configured level to zero, so that any attached device is trusted.

Once you're inside the computer, to use Thunderspy to authorize additional Thunderbolt devices that can later be plugged in to extract data, or clone user-authorized devices to copy out information.

"In an evil maid DMA attack, where adversaries obtain brief physical access to the victim system, Thunderbolt has been shown to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory."

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/11/thunderspy_port_hack/