Name |
Exploitation of Thunderbolt Protection Flaws |
|
Likelyhood of attack |
Typical severity |
Low |
Very High |
|
Summary |
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow. |
Prerequisites |
The adversary needs at least a few minutes of physical access to a system with an open Thunderbolt port, version 3 or lower, and an external thunderbolt device controlled by the adversary with maliciously crafted software and firmware, via an SPI Programming device, to exploit weaknesses in security protections. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Exploit |
[Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions] The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device. |
- Observe victim device identify adversary device as the victim device and enables PCIe tunneling.
- Resume victim device from sleep, connect adversary-controlled device and observe security is disabled and Thunderbolt connectivity is restored with PCIe tunneling being enabled.
- Observe that in UEFI or Thunderbolt Management Tool/UI that the Security Level does not match adversary modified Security Level of "None" (SL0)
- Observe after installation of Firmware update that within Thunderbolt Management UI the "NVM version" is unchanged/same prior to the prompt of successful Firmware update/installation.
|
2 |
Exploit |
[Exfiltration of desired data from victim device to adversary device] Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection. |
|
3 |
Experiment |
[Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary)] The adversary overrides the target device's Thunderbolt Security Level to "None" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware. |
- The adversary-controlled Thunderbolt device, connected to SPI programmer and victim device via Thunderbolt ports, is utilized to execute commands within tools/scripts to disable SPI flash protections, modify Thunderbolt Security Level, and enable malicious SPI flash protections.
|
4 |
Experiment |
[Modify/replace victim Thunderbolt firmware image] The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash. |
|
|
Solutions | Implementation: Kernel Direct Memory Access Protection Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode Configuration: Set Security Level to SL3 for Thunderbolt 2 system port Configuration: Disable PCIe tunneling to set Security Level to SL3 Configuration: Disable Boot Camp upon MacOS systems |
Related Weaknesses |
CWE ID
|
Description
|
CWE-288 |
Authentication Bypass Using an Alternate Path or Channel |
CWE-345 |
Insufficient Verification of Data Authenticity |
CWE-353 |
Missing Support for Integrity Check |
CWE-862 |
Missing Authorization |
CWE-1188 |
Initialization of a Resource with an Insecure Default |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-148 |
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes. |
CAPEC-151 |
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. |
CAPEC-276 |
Inter-component protocols are used to communicate between different software and hardware modules within a single computer. Common examples are: interrupt signals and data pipes. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself. |
CAPEC-390 |
Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points. |
CAPEC-458 |
An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device. |
|
Taxonomy: ATTACK |
Entry ID
|
Entry Name
|
1211 |
Exploitation for Defensive Evasion |
1542.002 |
Pre-OS Boot: Component Firmware |
1556 |
Modify Authentication Process |
|