Thunderspy: a series of attacks against computers with Thunderbolt

Recently information was released on seven vulnerabilities that affect computers with Thunderbolt, these known vulnerabilities were listed as "Thunderspy" and with them an attacker can make use of to bypass all the main components guarantees Thunderbolt security.

Depending on the problems identified, nine attack scenarios are proposed They are implemented if the attacker has local access to the system by connecting a malicious device or manipulating the firmware of the computer.

The attack scenarios include the ability to create identifiers for Thunderbolt devices arbitrary, clone authorized devices, random memory access through DMA and overriding the security level settings, including completely disabling all protection mechanisms, blocking the installation of firmware updates, and translating the interface to Thunderbolt mode on systems limited to USB forwarding or DisplayPort.

About Thunderbolt

For those unfamiliar with Thunderbolt, you should know that this eIt's a universal interface that used to connect peripherals that combines PCIe (PCI Express) and DisplayPort interfaces in a single cable. Thunderbolt was developed by Intel and Apple and is used in many modern laptops and PCs.

PCIe-based Thunderbolt devices have direct memory access I / O, posing a threat of DMA attacks to read and write all system memory or capture data from encrypted devices. To avoid such attacks, Thunderbolt proposed the concept of «Security Levels», which allows the use of devices only authorized by the user and uses cryptographic authentication of connections to protect against identity fraud.

About Thunderspy

Of the identified vulnerabilities, these make it possible to avoid said link and connect a malicious device under the guise of an authorized one. In addition, it is possible to modify the firmware and put SPI Flash into read-only mode, which can be used to completely disable security levels and prevent firmware updates (the tcfp and spiblock utilities have been prepared for such manipulations).

  • The use of inappropriate firmware verification schemes.
  • Use a weak device authentication scheme.
  • Download metadata from an unauthenticated device.
  • Existence of mechanisms to guarantee compatibility with previous versions, allowing the use of rollback attacks on vulnerable technologies.
  • Use configuration parameters from an unauthenticated controller.
  • Interface defects for SPI Flash.
  • Lack of protection at the Boot Camp level.

The vulnerability appears on all Thunderbolt 1 and 2 equipped devices (based on Mini DisplayPort) and Thunderbolt 3 (based on USB-C).

It is still not clear if problems appear on devices with USB 4 and Thunderbolt 4, as these technologies are only advertised and there is no way to verify their implementation.

Vulnerabilities cannot be fixed by software and require the processing of hardware components. At the same time, for some new devices, it is possible to block some of the DMA related problems using the DMA Kernel protection mechanism, whose support has been introduced since 2019 (it has been supported in the Linux kernel since version 5.0, you can verify the inclusion via /sys/bus/thunderbolt/devices/domainX/iommu_dma_protection").

Finally, to be able to test all those devices in which there is doubt whether they are susceptible to these vulnerabilities, a script called "Spycheck Python" was proposed, which requires running as root to access the DMI, ACPI DMAR, and WMI table.

As measures to protect vulnerable systems, It is recommended that the system not be left unattended, turned on or in standby modeIn addition to not connecting other Thunderbolt devices, do not leave or transfer your devices to strangers and also provide physical protection for your devices.

Besides that if there is no need to use Thunderbolt on the computer, it is recommended to disable the Thunderbolt controller in UEFI or BIOS (Although it is mentioned that the USB and DisplayPort ports may be rendered inoperative if they are implemented through the Thunderbolt controller).


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.