Microsoft Confirms Serious New Windows 10 Security Problem, Says Go Buy A New PC

Last week, Intel confirmed the existence of a new security vulnerability in the deployment of Thunderbolt ports, enabling an attacker with physical access to a PC to modify the port’s controller firmware, disabling its security. As I reported at the time, almost all PCs with Thunderbolt ports are vulnerable to this attack, except a few from last year with Kernel DMA protection enabled.

This new security threat has been dubbed “Thunderspy” by Björn Ruytenberg, the Eindhoven University of Technology researcher who discovered and disclosed it. Ruytenberg warns that despite locking or suspending a PC, setting up a Secure Boot and strong system passwords, and enabling disk encryption, “all an attacker needs is five minutes alone with the computer.”

Such physical attacks on computers are complex, high-risk and thankfully rare. But they do happen. A physical comprise such as this is nicknamed an “evil maid” attack—the idea being that your machine is hit when you’re staying in a hotel and away from your room, or when the overnight cleaning crew come to blitz the offices. An attacker needs a few minutes with no eyes-on.

If you’re a target, this happens when you’re down at breakfast or using the gym in your hotel. “I have even heard of someone finding all the screws from his laptop on the table top after he took it out from his hotel safe,” former British intel officer Philip Ingram told me. This is why security professionals leave a “do not disturb” sign on their hotel room doors even when they’re not inside—you get your room serviced by calling down and asking for it to be done at a time of your choosing. And you have your devices with you when it’s being done.

Now Microsoft has confirmed the risk that “an attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.” The vulnerability is in hardware, and so cannot be patched. According to Microsoft, someone with physical access to the device “could sign in and exfiltrate data or install malicious software.” Microsoft’s advice to “stay ahead of advanced data theft” is to buy a new PC.

Not just any PC, of course, but one of their newly minted “secured-core PCs.” These have been around since late last year and come with all the security bells and whistles enabled in hardware and firmware, “mitigating Thunderspy and any similar attacks that rely on malicious DMA.” Intel confirms that a Thunderspy attack “could not be successfully demonstrated on systems with Kernel DMA protection,” a feature enabled on these Secured-core PCs.

As Microsoft explains, “even if an attacker was able to copy malicious Thunderbolt firmware to a device, the Kernel DMA protection on a Secured-core PC would prevent any accesses over the Thunderbolt port unless the attacker gains the user’s password... significantly raising the degree of difficulty.”

There is now a range of Secured-core PCS available, aimed at business users, likely those with a heightened sense of awareness, who travel regularly (albeit not just at the moment), and who might have valuable data on their machines. This isn’t just spooks—business leaders, VIPs, negotiators, politicians, anyone with sensitive data who travels and leaves their PC out of sight for periods of time.

The alternative, according to Ingram, is worse. “Take a burn device with only the data you need for those meetings on a separate USB. Never connect it to any network when you return home and only use it for travel to that country. If you ever leave it unattended assume the hardware has been compromised. If you have been subject to extended searches at an airport and have lost sight of your IT, assume it has been compromised.”

As security vulnerabilities go, Thunderspy is fairly niche—an issue on a massive scale, but which realistically only puts a very small percentage of users at risk. That said, it is a security flaw and it does leave PCs open to compromise. With that in mind, plus the fact this is now in the public domain, I’m sure many users will look at the availability of Kernel DMA protection when they next trade-up.

Comments are closed.