



### Who Am I – About This Talk

### Björn Ruytenberg @0Xiphorus

Security researcher

Main interests: hardware and firmware security, sandboxing, input validation

More about me: <a href="https://bjornweb.nl">https://bjornweb.nl</a>

MSc student in Computer Science @ TUE

• This work part of my master's thesis



### This talk:

- High-level overview on Thunderspy
- For technical details, please refer to:
  - "When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security" Black Hat USA 2020
  - Thunderspy vulnerability report thunderspy.io



### **Thunderbolt: A PCIe-based Interconnect**

- High-performance, proprietary I/O protocol developed by Intel and Apple
- PCI Express (PCIe)-based, Direct Memory Access (DMA)-enabled connectivity
- Use cases
  - External graphics, docking stations, 5K monitors, high-speed external storage, peer-to-peer networking
- Thunderbolt 1 (2011) and 2 (2013) mostly exclusive to Macs
  - Mini-DisplayPort form factor multiplexes TB, native DP
- Thunderbolt 3 (2015) first version to be widely adopted
  - USB-C form factor multiplexes TB, native DP and/or USB-C





# **PCI Express Basics – Quick Review**

- A standardized interconnect for attaching hardware devices in a computer system
- Designed as an internal connection for highperformance applications
  - Graphics cards (GPUs)
  - Network interfaces (Ethernet)
  - Wireless network cards (WiFi)
  - USB controllers
  - ...
- "Direct Memory Access" (DMA) primary CPU-peripheral mode of transport





### **DMA** attacks

- Thunderbolt 1: no protection against physical attacks
- Plug in malicious device
   → Unrestricted R/W memory access (DMA)
- Access data from encrypted drives
- Persistent access possible, by e.g. installing malware (rootkit)





# **Prior Work (selected)**

### Owned by an iPod [Dornseif 2004]

- First research to demonstrate practical DMA attack
- Malicious FW device presents Serial Bus Protocol 2 (SPB-2) endpoint, which triggers host controller to allocate DMA channel for fast bulk data transfers
- Several authors release exploitation tools [Boileau 2006] [Plegdon 2007]
- Improved upon for memory forensics [Witherden 2010]
- "Improved upon" in law enforcement spyware such as FinFireWire [Gamma 2011]

### Subverting Windows 7 x64 kernel with DMA attacks [Aumaitre 2009]

• First PCI-based attack through custom PCI device with DMA engine

### Inception [Maartmann-Moe 2014]

Improves upon Witherden's libforensic1394 by presenting virtual SBP-2 interface through ExpressCard, FW device + TB-to-FW adapter

### PCILeech [Frisk 2016]

- Native PCIe attack
- DMA attack using FPGA with PCIe PHY (full size, ExpressCard, miniPCIe, M.2-NVMe), optionally tunneled through Thunderbolt enclosure
- Improved later with various functionality: e.g. dumping FDE keys, dumping UEFI memory regions, patching Windows lock screen process

### • Thunderclap [Markettos et al. 2019]

- Replaces PCIe endpoint in TB device with malicious one, then performs DMA attack
- Does not break Security Levels access control, but relies on tricking user into authorizing malicious device





Image credit: Gorodonkoff





Image credit: Shutterstock



- Brief physical access to victim system, aka "evil maid attack"
- Example real-world scenarios:
  - Laptop locked or set to sleep; left unattended in hotel room, while victim is out for dinner
  - Desktop systems locked or set to sleep; left unattended outside office hours
  - Cleaning crew has unfettered access
- Potential adversaries:
  - Corporate and governmental espionage



# Industry measures against opportunistic physical access

- 1. BIOS access control
- 2. Secure Boot
- 3. Boot Guard
- 4. Full Disk Encryption

. . .



- 1. BIOS access control
  - Prevents unauthorized modification of system settings
  - E.g. require password on entering BIOS







- 1. BIOS access control
- 2. Secure Boot
  - Protects against malicious, unsigned code early in boot process
  - Cryptographically verify boot chain:
     OS bootloader, kernel, drivers







- 1. BIOS access control
- 2. Secure Boot
- Boot Guard
  - Protects against malicious firmware implants
  - Cryptographically verifies BIOS integrity







- 1. BIOS access control
- 2. Secure Boot
- 3. Boot Guard
- 4. Full Disk Encryption
  - Protects against physical data extraction
  - Encrypts user data + OS root (depending on FDE config)







Malicious TB Device (DMA Attack)

- 1. BIOS access control
- 2. Secure Boot
- 3. Boot Guard
- 4. Full Disk Encryption
- 5. Thunderbolt Security Levels







- **Security Levels** access control system enabling users to authorize trusted device only
- Introduced in Thunderbolt 2
- No authorization = No connectivity





- Security Levels access control system enabling users to authorize trusted device only
- Introduced in Thunderbolt 2
- No authorization = No connectivity





- Security Levels access control system enabling users to authorize trusted device only
- Introduced in Thunderbolt 2
- No authorization = No connectivity





Thunderbolt devices authenticate to the host using the following metadata:

• **Device ID:** 16-bit device identifier

• **Device name:** ASCII string

• **Vendor ID:** 16-bit vendor identifier

Vendor name: ASCII string

• Universally Unique Identifier (UUID): 64-bit number uniquely identifying device, fused in silicon





Source: Thunderbolt 3 and Security on Microsoft Windows 10 Operating System – Intel Corporation



# **Thunderbolt Security Levels**

|                                    | Definition                                                                                                                           |  |
|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|--|
| <b>SL0</b><br>None                 | No security (legacy mode)                                                                                                            |  |
| <b>SL1</b><br>User                 | <ul> <li>Device authorization ACL based on UUID</li> <li>UUID fused in silicon</li> <li>Default setting on all PCs</li> </ul>        |  |
| <b>SL2</b><br>Secure               | <ul> <li>Device authorization based on UUID (SL1), plus</li> <li>Cryptographic device authentication (challenge-response)</li> </ul> |  |
| <b>SL3</b><br>No PCIe<br>tunneling | <ul> <li>Disable all Thunderbolt connectivity</li> <li>USB and/or DisplayPort tunneling only</li> </ul>                              |  |
| SL4 Disable daisy- chaining        | Terminate PCIe tunneling at first TB device (some Titan Ridge controllers only)                                                      |  |
| Pre-boot<br>protection             | PCIe tunneling enabled only if Thunderbolt device previously authorized by user                                                      |  |

# Security Levels prevent malicious TB devices from accessing PCIe domain, thereby protecting against:

- Device-to-host DMA attacks
- Device-to-device (P2P) DMA attacks
- PCI ID spoofing to target vulnerable device drivers
- TLP source ID spoofing

Source: <u>Thunderbolt 3 and Security on Microsoft Windows 10 Operating System – Intel Corporation</u>



# Introduction to Thunderspy

### Previous research:

- Before Security Levels: attacks primarily focus on PCIe-level DMA attacks to compromise Thunderbolt security
- After Security Levels: attacks require cooperation of user, i.e. inadvertently connecting malicious peripherals
- Thunderspy is a new class of vulnerabilities that breaks Thunderbolt protocol security
- First attack on Thunderbolt Security Levels
- 7 vulnerabilities and 9 practical exploitation scenarios





# Identifying attack surfaces

- Thunderbolt is a proprietary standard
- Protocol specifications not publicly documented
- Hardware architecture not publicly documented
- Dissected various Thunderbolt devices and Thunderbolt-equipped systems



# Identifying attack surfaces

- Thunderbolt is a proprietary standard
- Protocol specifications not publicly documented
- Hardware architecture not publicly documented
- Dissected various Thunderbolt devices and Thunderbolt-equipped systems



# **Thunderbolt Devices**



























# **NetStor Thunderbolt NVMe Enclosure**

TB 3 host/device controller 4-channel, dual port

2\* TPS65983 USB Type-C PD Controller Power Switch High-speed Multiplexer

 $I^2C$ 

Thunderbolt™ 3

MX25R8035F 8 Mbit SPI Flash

JTAG?



# **NetStor Thunderbolt NVMe Enclosure**

TB 3 host/device controller 4-channel, dual port

2\* TPS65983 USB Type-C PD Controller Power Switch High-speed Multiplexer

 $I^2C$ 

Thunderbolt™ 3

MX25R8035F 8 Mbit SPI Flash







# Intel JHL6540 Thunderbolt Controller



- 4 channel, dual-port Thunderbolt 3 controller
- Up to 20 Gbit per channel
- Supports Host and Endpoint mode
- "Alpine Ridge" generation:
  - DisplayPort 1.2
  - Integrated HDMI 2.0 LSPcon
  - USB 3.1 passthrough
  - USB-PD + 100W charging
- BGA package
- No public datasheets
- Not much we can do without more invasive techniques



### **TPS65983 USB-PD Controller**





**TPS65983** 

SLVSD93A - OCTOBER 2015-REVISED APRIL 2016

### TPS65983 USB Type-C and USB PD Controller, Power Switch, and High Speed Multiplexer

### 1 Features

- · USB Power Delivery (PD) Controller
  - Mode Configuration for Source (Host), Sink (Device), or Source-Sink
  - Bi-Phase Marked Encoding/Decoding (BMC)
- Physical Layer (PHY) Protocol
- Policy Engine
- Configurable at Boot and Host-Controlled
- · USB Type-C Specification Compliant
- Detect USB Cable Plug Attach
- Cable Orientation and Role Detection
- Assign CC and VCONN Pins
- Advertise Default, 1.5 A or 3 A for Type-C Power
- Port Power Switch
  - 5-V, 3-A Switch to VBUS for Type-C Power
  - 5-V to 20-V, 3-A Bidirectional Switch to or from VBUS for USB PD Power
  - 5-V, 600-mA Switches for VCONN
  - Overcurrent Limiter, Overvoltage Protector
  - Slew Rate Control
  - Hard Reset Support
- Port Data Multiplexer
- USB 2.0 HS Data, UART Data, and Low Speed Endpoint
- Sideband Use Data for Alternate Modes (DisplayPort and Thunderbolt™)
- Power Management

- Gate Control and Current Sense for External 5-V to 20-V, 5-A Bidirectional Switch (Back-to-Back NFETs)
- Power Supply from 3.3-V or VBUS Source
- 3.3-V LDO Output for Dead Battery Support
- BGA MicroStar Junior Package
- 0.5-mm Pitch
- Through-Hole Via Compatible for All Pins

### 2 Applications

Thunderbolt 3 Devices

### 3 Description

The TPS65983 is a stand-alone USB Type-C and Power Delivery (PD) controller providing cable plug and orientation detection at the USB Type-C connector. Upon cable detection, the TPS65983 communicates on the CC wire using the USB PD protocol. When cable detection and USB PD negotiation are complete, the TPS65983 enables the appropriate power path and configures alternate mode settings for internal and (optional) external multiplexers.

### Device Information<sup>(1)</sup>

| PART<br>NUMBER | PACKAGE                      | BODY SIZE (NOM)   |
|----------------|------------------------------|-------------------|
| TPS65983       | BGA MICROSTAR<br>JUNIOR (96) | 6.00 mm × 6.00 mm |

(1) For all available packages, see the orderable addendum at the end of the data sheet



### **TPS65983 USB-PD Controller**





```
:\Users\xpw10\pcie-project\repos\Tbtools\TbtoolsCLI\bin\Release>tbmt i2c-read "d8d8ad00:00bdaa3f:fffffffff;ffffffff" 1 2F 40
Reading from I2C bus on:
        IOGEAR GTC3DEU
        d8d8ad00:00bdaa3f:ffffffff:fffffff
Result:
54 50 53 36 35 39 38 33 20 48 57 30 30 32 30 20 46 57 30 30 30 33 2E 37 31 2E 30 30 20 5A 41 50 43 31 2D 49 4E 54 4C 0

TPS65983 HW0020 FW0003.71.00 ZAPC1-INTL TPS FW identifier
C:\Users\xpw10\pcie-project\repos\Tbtools\TbtoolsCLI\bin\Release>tbmt i2c-read "d8d8ad00:00bdaa3f:fffffffffffffff" 1 2E 49
Reading from I2C bus on:
        IOGEAR GTC3DEU
        d8d8ad00:00bdaa3f:ffffffff:fffffff
31 35 31 35 37 30 66 64 37 62 38 38 65 64 35 33 62 39 34 38 37 30 32 35 32 38 38 38 38 32 38 65 62 39 38 66 31 30 38 62 30 5F 31 30 3
 38 32 30 31 36
                                                          FW hash and build date
:\Users\xpw10\pcie-project\repos\Tbtools\TbtoolsCLI\bin\Release>tbmt i2c-read "d8d8ad00:00bdaa3f:fffffffffffffff" 1 3 4
Reading from I2C bus on:
        IOGEAR GTC3DEU
        Result:
41 50 50 20
             Current operational state
```



# Macronix MX25R8035F





MX25R8035F

Ultra Low Power 8M-BIT [x 1/x 2/x 4] CMOS MXSMIO® (SERIAL MULTI I/O) FLASH MEMORY

### 1. FEATURES

### **GENERAL**

- · Supports Serial Peripheral Interface -- Mode 0 and Mode 3
- 8,388,608 x 1 bit structure or 4,194,304 x 2 bits (two I/O mode) structure or 2,097,152 x 4 bits (four I/O mode) structure
- Equal Sectors with 4K byte each, or Equal Blocks with 32K/64K byte each
  - Any Block can be erased individually
- · Single Power Supply Operation
  - Operation Voltage: 1.65V-3.6V for Read, Erase and Program Operations
- Latch-up protected to 100mA from -1V to Vcc +1V

### **PERFORMANCE**

- · High Performance
  - Fast read
    - 1 I/O: 108MHz with 8 dummy cycles
    - 2 I/O: 104MHz with 4 dummy cycles, equivalent to 208MHz
  - 4 I/O: 104MHz with 2+4 dummy cycles, equivalent to 416MHz
  - Fast program and erase time
- 8/16/32/64 byte Wrap-Around Burst Read Mode
- · Ultra Low Power Consumption
- · Minimum 100,000 erase/program cycles
- 20 years data retention

### SOFTWARE FEATURES



# **Thunderbolt 3 Controller Firmware**



struct tb\_drom\_header { /\* BYTE 0 \*/ u8 uid\_crc8; /\* checksum for uid \*/ /\* BYTES 1-8 \*/ u64 uid; /\* BYTES 9-12 \*/ u32 data\_crc32; /\* checksum for data\_len bytes starting at byte 13 \*/ /\* BYTE 13 \*/ u8 device\_rom\_revision; /\* should be <= 1 \*/ u16 data\_len:10; u8 unknown1:6; /\* BYTES 16-21 \*/ u16 vendor id; u16 model id; u8 model\_rev; u8 eeprom rev; } \_\_packed;

- Device ROM stores Thunderbolt device identity
  - Device name
  - Device ID

- Vendor name
- Vendor ID

UUID? Yes, but only2 out of 8 bytes



# **Thunderbolt 3 Controller Firmware**

ÿÿÿÿÿÿÿÿÿÿÿxSA+EXP ÿÿ ÿÿÿÿÿyA...E.¹..B.åÞ<D© bÄ.T ".\$ô´.W.+¹.þ.J.r." \*ÂYI. ..‰J)y..4Ý/RiB%Î £‰Y;¿ð;óÉlî.³Qqbá£.HVø %9=; R6Âß.9È".Z.yò.\_ 5. oe.í.mt\_)M.,ú{i.PcĔ.±ØÀ /Ù.ñ O¹i^ɧ.S...øÅ.iÅF; Èh⁻ē.°¢ô.[h.´.\$ô·:Á(.l. .ô\$..4¡hÑ~A5øzgý.ØÅôÉ+B (èi.4®´û. üP´..ÿ\...x »ĕ Ö.¥+©}+úµ KíÍcl..ê.s ðû1.'F;oT¶ i©...ÿÿÿÿÿÿ

- Embedded in firmware
  - Public key (fingerprint likely stored in silicon)
  - Signed digest
- Device ROM stores Thunderbolt device identity
  - Device name
  - Device ID

- Vendor name
- Vendor ID
- What is covered by the cryptographic signature?

UUID (partial)



# **Thunderspy Device Identity**

- What is covered by the cryptographic signature?
  - Not the DROM...

# Thunderbolt Device Tree ▼ Thunderbolt Bus 0 ▼ Thunderbolt Station 2 Thunderbolt to Gigabit Ethernet Adapter ▼ Thunderbolt Bus 1 ClubberNut

### ClubberNut:

Vendor Name: TotallyLegit Device Name: ClubberNut

Device ID: 0xE Device Revision: 0x1

UID: 0x006F645621311600

Route String: 3 Firmware Version: 25,1 Port (Upstream):

Status: Device connected

Link Status: 0x2

Speed: Up to 40Gb/s x1

Current Link Width: 0x2 Link Controller Firmware Version: 0.36.0



# **Thunderbolt 3 Controller Firmware**

### Thunderbolt™ 3 Security Features details and definitions

### Authenticating newly attached device

Firmware and software supported feature that requires user approval before allowing a PCIe capable Thunderbolt™ connection for the first time, supported on Thunderbolt™ starting in 2013

### **Cryptographic Authentication**

Cryptographic authentication of connection to help prevent a peripheral device to be spoofed to masquerade as an "approved" device to the user (authentication of the connection), supported from Thunderbolt™ 2 products onward, starting in 2014

### Separating Thunderbolt™ data stream

Separating Thunderbolt™ data stream from display tunneling to help prevent walk-up access of PCle unless it is specifically allowed.

Statement inaccurate, but interesting emphasis on TB3

### Unique ID number

Every Thunderbolt Controller has a unique ID fused in silicon during production, this allows to identify a specific device

Source: Thunderbolt 3 and Security on Microsoft Windows 10 Operating System – Intel Corporation



# **Thunderbolt 2 Controller Firmware**



- UUID stored in plaintext, not covered by any signatures
- TB2 devices can clone (spoof) TB3 device identity



| Thunderbolt Station 2:                                                                                                     |                         |                                                                                            |  |  |
|----------------------------------------------------------------------------------------------------------------------------|-------------------------|--------------------------------------------------------------------------------------------|--|--|
| Vendor Name: CalDigit, Inc. Device Name: Thunderbolt Static Vendor ID: 0x3D Device ID: 0x4                                 |                         | n 2                                                                                        |  |  |
| UID:                                                                                                                       | 0x0058A0FA94B9          | 6500                                                                                       |  |  |
| Firmware Version: Port (Upstream): Status: Link Status: Speed: Current Link W Cable Firmwar Cable Serial N Link Controller | e Version:              | Device connected<br>0x2<br>Up to 20Gb/s x1<br>0x2<br>1.0.16<br>C4M251502HGF797AP<br>0.14.0 |  |  |
| Port:                                                                                                                      |                         | No de de como de d                                                                         |  |  |
| Status:<br>Link Status:                                                                                                    | No device connected 0x7 |                                                                                            |  |  |
| Speed:                                                                                                                     | Up to 20Gb/s x1         |                                                                                            |  |  |

Current Link Width:

Link Controller Firmware Version: 0.14.0



# **Cloning Identities – Practical Implications?**





# **Cloning Identities – Practical Implications?**





# **Cloning Identities – Practical Implications?**





# **Cloning Identities – Practical Implications?**





# Identifying attack surfaces

- Thunderbolt is a proprietary standard
- Protocol specifications not publicly documented
- Hardware architecture not publicly documented
- Dissected various Thunderbolt devices and Thunderbolt-equipped systems



# **Thunderbolt-Equipped Systems**









- Five vendors, seven generations of systems: Intel, Lenovo, HP, Dell, Apple (2013 2020)
- Five generations of Thunderbolt controllers: Falcon Ridge (TB2), Alpine Ridge-2015, Alpine Ridge-2016, Titan Ridge, Ice Lake (TB3)











# Lenovo ThinkPad P1 (2019)



Intel JHL7540
TB3 host controller
4-channel, dual port
(other side)

TPS65982 USB-PD (other side)

Winbond W25Q80.V TB3 host controller FW

NVMe storage



# **Host Controller: Key Questions**

- BIOS enables user switching Thunderbolt Security Levels
  - BIOS programs TB controller upon setting SL, so stores SL state?
- SL1+2 require storing device UUIDs
  - List of allowed devices (ACL)?





## **Host Controller Firmware Outline**

### Jump address Host mode: 0x00 \* EP mode: 0x4000 No secure key Device ACL (UUIDs) dictionary **Host Security Level** (stored on OS disk; configuration pre-boot auth appears based on DROM (0x4000) UUID only) Host identity PHY config **PtoSPtoQWake** EE CIO

PHY config (continued) EE PCIE EE DMA EE USB PA / PB EE PCIE PHI EE DP **PATCHES** DP IN UCODE "RSA+EXP" public key Signed digest TPS USB-PD FW





<sup>\*</sup>Offset varies by controller model, FW revision, and currently active Security Level

# **Unauthenticated Controller Config – Implications?**

### Use of unauthenticated controller configurations

- Two state machines: BIOS and host controller FW maintain SL state
- Host controller FW overrides BIOS state
- FW signature does not cover security configuration

### Potential exploitation scenario

- By patching host controller firmware, attacker overrides Security Level
  - To disable all Thunderbolt security (SLO)
  - To restore Thunderbolt connectivity, if it was disabled by the user (SL3)



### **SPI Flash: Write Protection**

W25Q80DV/DL



### 7.1.6 Complement Protect (CMP)

The Complement Protect bit (CMP) is a non-volatile read/write bit in the status register (S14). It is used in conjunction with SEC, TB, BP2, BP1 and BP0 bits to provide more flexibility for the array protection. Once CMP is set to 1, previous array protection set by SEC, TB, BP2, BP1 and BP0 will be reversed. For instance, when CMP=0, a top 4KB sector can be protected while the rest of the array is not; when CMP=1, the top 4KB sector will become unprotected while the rest of the array become read-only. Please refer to the Status Register Memory Protection table for details. The default setting is CMP=0.

### 7.1.7 Status Register Protect (SRP1, SRP0)

The Status Register Protect bits (SRP1 and SRP0) are non-volatile read/write bits in the status register (S8 and S7). The SRP bits control the method of write protection: software protection hardware protection, power supply lock-down or one time programmable (OTP) protection.

| SRP1 | SRP0 | МP | Status<br>Register                 | Description                                                                                                             |
|------|------|----|------------------------------------|-------------------------------------------------------------------------------------------------------------------------|
| 0    | 0    | х  | Software<br>Protection             | MP pin has no control. The Status register can be written to after a Write Enable instruction, WEL=1. [Factory Default] |
| 0    | 1    | 0  | Hardware<br>Protected              | When MP pin is low the Status Register locked and can not be written to.                                                |
| 0    | 1    | 1  | Hardware<br>Unprotected            | When MP pin is high the Status register is unlocked and can be written to after a Write Enable instruction, WEL=1.      |
| 1    | 0    | х  | Power Supply<br>Lock-Down          | Status Register is protected and can not be written to again until the next power-down, power-up cycle. <sup>(1)</sup>  |
| 1    | 1    | х  | One Time<br>Program <sup>(2)</sup> | Status Register is permanently protected and can not be written to.                                                     |

Special order, yet some TB controller flash samples appear to ship support

#### Noto:

- 1. When SRP1, SRP0 = (1, 0), a power-down, power-up cycle will change SRP1, SRP0 to (0, 0) state.
- . This feature is available upon special order. Please contact Winbond for details.



# **Disabling Thunderbolt Security – Permanently**

### SPI flash interface deficiencies

- Host controller FW maintains SL state (slide 42)
- SPI flash write protection allows preventing user to change SL
  - On supported flash, irrevocable OTP write protection turns it into Read Only Memory (ROM)

### Potential exploitation scenario

- Attacker overrides SL to 0 (no security), then renders it permanent
- Shown in upcoming demo



# **Summary: Thunderspy Attack Methods (selected)**

| Attack method 1 Exploitation scenarios: 3.2.1, 3.3.1, 3.3.2, 3.3.3 | <ul> <li>Attack Thunderbolt host controller firmware to disable Thunderbolt security. System will accept any arbitrary attacker devices.</li> <li>Requires brief access to laptop and reprogramming host controller firmware (~ 5 min)</li> <li>Does not require access to victim's Thunderbolt devices</li> </ul>         |
|--------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Attack method 2 Exploitation scenarios: 3.1.1, 3.1.3               | Clone user-authorized Thunderbolt device identity to an arbitrary attacker device. System will accept attacker device as being legitimate, user-authorized device.  • Does not require reprogramming host controller firmware  • Requires brief access to one of victim's Thunderbolt devices (~ 5 min)                    |
| Impact (both)                                                      | <ul> <li>Unrestricted read and write access to system memory (DMA)</li> <li>Access data from encrypted drives</li> <li>Persistent access possible, by e.g. (i) Thunderspy attack permanently disabling Thunderbolt security, or (ii) installing rootkit to ensure continued access without requiring Thunderspy</li> </ul> |

For more technical details, please refer to our Black Hat USA talk and vulnerability report.



# Demo – Unlocking Windows PC in 5 minutes using attack method 1

Edited to fit Dutch Design Week session. Please refer to our YouTube recording for the complete real-time footage.





# **Thunderspy PoC Tools**

### Thunderbolt Controller Firmware Patcher

https://github.com/BjornRuytenberg/tcfp

```
0xiphorus@xplptp://olumes/Data/PCIe-project/repos/tcfp$ python3 tcfp.py parse samples/intel-nuc8i3beh-M45PE80-nvm33-user.bin
Vendor ID: 0x8086
PCI Device Name : JHL6340 Thunderbolt 3 Bridge (C step) [Alpine Ridge 2C 2016]
Model ID: 0x6357
NVM version: 1 (0x1)
Vendor : Intel Corporation
Device : NUC8BEB
Security Level : SL1
@xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/tcfp$ python3 tcfp.py parse samples/hp-zbook-studio-g4-W25Q80.V-nvm41-secure.bin
Vendor ID : 0xf0
PCI ID : 0x15d3
PCI Device Name : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016]
Model ID: 0x826b
NVM version: 1 (0x1)
Vendor : HP, Inc.
Device : HP ZBook Studio G4
@xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/tcfp$ python3 tcfp.py parse samples/lenovo-p1-new-MX25L8005-nvm36-dp-usb.bin
Vendor ID : 0x109
PCI ID : 0x15ea
PCI Device Name : JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018]
Model ID : 0x1711
NVM version : 36 (0x24)
 endor : Lenovo
Device : ThinkPad P1
Security Level : SL3
```

```
@xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/tcfp$ python3 tcfp.py patch lenovo-p1-new-MX25L8005-nvm36-dp-usb.bin
Vendor ID: 0x109
PCI ID: 0x15ea
PCI Device Name : JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018]
Model ID : 0x1711
NVM version : 36 (0x24)
Vendor : Lenovo
Device : ThinkPad P1
Security Level: SL3
Image patched succesfully.
Moxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/tcfp$ python3 tcfp.py parse lenovo-p1-new-MX25L8005-nvm36-dp-usb.bin
Vendor ID : 0x109
PCI ID: 0x15ea
PCI Device Name : JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018]
Model ID: 0x1711
NVM version: 36 (0x24)
Vendor : Lenovo
Device : ThinkPad P1
Security Level: SL0
Maxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/tcfp$
```



# **Thunderspy PoC Tools**

### **SPIblock**

https://github.com/BjornRuytenberg/spiblock

```
0xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -p
Manufacturer ID: 0xC2
Device ID: 0x2017
Device: MACRONIX_MX25L6405
0xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -s
Status Register: 0x40
Write Enable Latch WEL : Disabled
Status Register Protect SRP0 : Disabled
Block Protection BPx : Disabled
0xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -p
Manufacturer ID: 0xEF
Device ID: 0x4014
Device: WINBOND_NEX_W25Q80_V
0xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -s
Status Register: 0x0
Write Enable Latch WEL : Disabled
Status Register Protect SRP0 : Disabled
Block Protection BPx : Disabled
@xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -p
root: WARNING: Enabling block protection for SPI device unsupported (flashrom status: 'TEST_UNTESTED').
Manufacturer ID: 0x20
Device ID: 0x4014
Device: ST_M45PE80
0xiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -s
root: WARNING: Enabling block protection for SPI device unsupported (flashrom status: 'TEST_UNTESTED')
Status Register : 0x0
Write Enable Latch WEL : Disabled
Status Register Protect SRP0 : Disabled
Block Protection BPx : Disabled
Oxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$
```

```
*Moxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -p
Manufacturer ID: 0xEF
Device ID: 0x4014
Device: WINBOND_NEX_W25080_V
Maxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -s
Status Register: 0x0
Write Enable Latch WEL : Disabled
Status Register Protect SRP0 : Disabled
Block Protection BPx : Disabled
Oxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -b 1
Succesfully enabled block protection.
Maxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -s
Status Reaister : 0x1c
Write Enable Latch WEL : Disabled
Status Register Protect SRP0 : Disabled
Block Protection BPx : Enabled (3)
Moxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -w 1
Succesfully enabled WP pin control.
Maxiphorus@xplptp://olumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -s
Status Register : 0x9c
Write Enable Latch WEL : Disabled
Status Register Protect SRP0 : Enabled
Block Protection BPx : Enabled (3)
Moxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -w 0
Error: Device does not allow changing status registers. De-assert WP pin first.
Oxiphorus@xplptp:/Volumes/Data/PCIe-project/repos/spiblock$ python3 spiblock.py -b 0
root: WARNING: WP pin control enabled. Make sure to de-assert WP pin, otherwise this action will fail.
root: WARNING: If successful, this action will disable WP pin control.
Error: Device does not allow changing status registers. Disable WP pin control (SRP) first.
```



# **Thunderspy: Affected systems**

### All Thunderbolt-equipped systems shipped between 2011-2020

- All PCs released between 2011-2018 fully vulnerable
- All Macs running Windows and Linux (Boot Camp) fully vulnerable
- Some systems providing "Kernel DMA Protection", shipping since 2019, partially vulnerable: <a href="https://thunderspy.io/#kernel-dma-protection">https://thunderspy.io/#kernel-dma-protection</a>
- MacOS partially vulnerable: <a href="https://thunderspy.io/#affected-apple-systems">https://thunderspy.io/#affected-apple-systems</a>

### Spycheck

- Free and open-source tool to determine if your system is vulnerable: <a href="https://thunderspy.io">https://thunderspy.io</a>
- Alternatively, follow manual verification steps on website



# Thunderspy: Intel's response

### **Kernel DMA Protection**

- Intel-suggested mitigation to Thunderspy
- Limits Thunderbolt device memory access to assigned range using "IOMMU"
- Requires Windows 10 >= 1803, Linux kernel >= 5.0

### However,

- Partial mitigation only
  - Mitigates only vulnerabilities 4-6
  - Prevents impact via DMA, but remaining vulnerabilities 1-3 expose system to BadUSB-style attacks
- Requires "IOMMU" and BIOS support
- BIOS support exclusively available on some >= 2019 systems
- Not available on systems < 2019</li>



# **Thunderspy 2**

- No fix from Intel all Thunderbolt-equipped systems released 2011-2018, and several >= 2019, remain unpatched against Thunderspy
- However, most pre-2019 systems feature an "IOMMU", thus technically capable of supporting Kernel DMA Protection
- Thunderspy 2: Experimental patch to Thunderspy
  - OS-independent BIOS extension
  - Brings Kernel DMA Protection to roughly 6 years worth of systems
    - Includes Thunderbolt 2!
    - Works with Windows 10 1803+ and Linux kernel 5.0+
    - Experimental stage: please do not use in production, yet feedback welcome ©
  - More details: <a href="https://github.com/BjornRuytenberg/kdmap-patcher">https://github.com/BjornRuytenberg/kdmap-patcher</a>
- Linux users: we are working with the Linux kernel hardware security team to develop kernel-level mitigations



### What's Next?

### The future of Thunderbolt-based interconnects

- What issues currently remain unaddressed?
  - 1. Thunderspy vulnerabilities 1–3: No means to distinguish between forged and legitimate DROMs. Devices that look legitimate physically could still be malicious.
  - 2. Narrow scope of Kernel DMA Protection vs. Security Levels: Enables TB device connectivity without user interaction. Does not protect against malicious devices abusing other PCIe-inherent attack vectors.
- How may these issues affect USB 4 and Thunderbolt 4?
  - To mitigate Thunderspy, Intel now requires "Kernel DMA Protection" as part of Thunderbolt 4 product certification
  - Backwards compatibility likely means susceptibility to (1), while (2) remains unaddressed



# **Takeaway**

- Thunderspy: a new class of vulnerabilities breaking Thunderbolt security
  - No fix from Intel for vulnerable systems released in 2011-2020; Kernel DMA Protection available only on some >= 2019 systems
  - Check if your system is vulnerable use Spycheck or verify manually
  - More technical details: refer to talk at Black Hat USA 2020
  - Full vulnerability report: <a href="https://thunderspy.io">https://thunderspy.io</a>
- Thunderspy 2: experimental, OS-independent mitigation to Thunderspy
  - Brings Kernel DMA Protection to all vulnerable systems with IOMMU
- The future is PCI Express
  - Thunderbolt is a powerful external interconnect enabling high-bandwidth, low-latency use cases previously not possible
  - USB 4 and Thunderbolt 4 upcoming, but adequate protection schemes remain absent (for now?)



## **Thank You**

Questions?

## **Björn Ruytenberg**

♠ https://bjornweb.nl

