Published on May 17th, 2020 📆 | 4732 Views ⚑
0Microsoft Confirms Serious New Windows 10 Security Problem, Says Go Buy A New PC
Last week, Intel confirmed the existence of a new security vulnerability in the deployment of Thunderbolt ports, enabling an attacker with physical access to a PC to modify the portâs controller firmware, disabling its security. As I reported at the time, almost all PCs with Thunderbolt ports are vulnerable to this attack, except a few from last year with Kernel DMA protection enabled.
This new security threat has been dubbed âThunderspyâ by BjĂśrn Ruytenberg, the Eindhoven University of Technology researcher who discovered and disclosed it. Ruytenberg warns that despite locking or suspending a PC, setting up a Secure Boot and strong system passwords, and enabling disk encryption, âall an attacker needs is five minutes alone with the computer.â
Such physical attacks on computers are complex, high-risk and thankfully rare. But they do happen. A physical comprise such as this is nicknamed an âevil maidâ attackâthe idea being that your machine is hit when youâre staying in a hotel and away from your room, or when the overnight cleaning crew come to blitz the offices. An attacker needs a few minutes with no eyes-on.
If youâre a target, this happens when youâre down at breakfast or using the gym in your hotel. âI have even heard of someone finding all the screws from his laptop on the table top after he took it out from his hotel safe,â former British intel officer Philip Ingram told me. This is why security professionals leave a âdo not disturbâ sign on their hotel room doors even when theyâre not insideâyou get your room serviced by calling down and asking for it to be done at a time of your choosing. And you have your devices with you when itâs being done.
Now Microsoft has confirmed the risk that âan attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.â The vulnerability is in hardware, and so cannot be patched. According to Microsoft, someone with physical access to the device âcould sign in and exfiltrate data or install malicious software.â Microsoftâs advice to âstay ahead of advanced data theftâ is to buy a new PC.
Not just any PC, of course, but one of their newly minted âsecured-core PCs.â These have been around since late last year and come with all the security bells and whistles enabled in hardware and firmware, âmitigating Thunderspy and any similar attacks that rely on malicious DMA.â Intel confirms that a Thunderspy attack âcould not be successfully demonstrated on systems with Kernel DMA protection,â a feature enabled on these Secured-core PCs.
As Microsoft explains, âeven if an attacker was able to copy malicious Thunderbolt firmware to a device, the Kernel DMA protection on a Secured-core PC would prevent any accesses over the Thunderbolt port unless the attacker gains the userâs password... significantly raising the degree of difficulty.â
There is now a range of Secured-core PCS available, aimed at business users, likely those with a heightened sense of awareness, who travel regularly (albeit not just at the moment), and who might have valuable data on their machines. This isnât just spooksâbusiness leaders, VIPs, negotiators, politicians, anyone with sensitive data who travels and leaves their PC out of sight for periods of time.
The alternative, according to Ingram, is worse. âTake a burn device with only the data you need for those meetings on a separate USB. Never connect it to any network when you return home and only use it for travel to that country. If you ever leave it unattended assume the hardware has been compromised. If you have been subject to extended searches at an airport and have lost sight of your IT, assume it has been compromised.â
As security vulnerabilities go, Thunderspy is fairly nicheâan issue on a massive scale, but which realistically only puts a very small percentage of users at risk. That said, it is a security flaw and it does leave PCs open to compromise. With that in mind, plus the fact this is now in the public domain, Iâm sure many users will look at the availability of Kernel DMA protection when they next trade-up.
Gloss