Thunderspy: What you need to know about unpatchable flaw in older PCs

11 May 2020

Image: © boyhey/

Security researchers have discovered a serious vulnerability in the Thunderbolt port that affects PCs built prior to 2019.

A commonly found port on many PCs has been discovered to have a major vulnerability. The Intel Thunderbolt port – shown on devices by its lightning bolt symbol – allows for the quick transfer of data to and from a computer and has been installed on millions of new laptop and desktop computers since 2011.

However, Björn Ruytenberg, master’s student at Eindhoven University of Technology, and his supervisors have discovered a vulnerability in this tech that they have dubbed ‘Thunderspy’. This could give a hacker easy access to files on Thunderbolt-enabled Windows and Linux PCs in just a few minutes.

The discovery follows on from news last year of a similar vulnerability in the port dubbed ‘Thunderclap’. This revealed that a malicious device used by a hacker could allow access to a computer’s files through Thunderbolt.

At the time, it was advised that those with the port enabled should set its security levels so that unknown devices trying to access the computer would be blocked. However, researchers said that the newly discovered Thunderspy vulnerability can bypass these extra security settings.

All the attacker needs is five minutes alone with the computer, a screwdriver and some easily portable hardware, the researchers said. Once they are in, a hacker can read and copy all data, even if the drive is encrypted and the computer is locked or set to sleep. Also, a Thunderspy attack leaves no trace that someone has accessed the device, leaving the owner completely unaware.

Danger of the ‘evil maid’

This is referred to by Ruytenberg on the dedicated Thunderspy website as an ‘evil maid’ direct memory access (DMA) attack, where a hacker has a limited amount of time alone with someone else’s device.

Ruytenberg said the team found seven vulnerabilities in Intel’s design for the port, with nine different realistic scenarios for accessing a computer’s data, collectively referred to as Thunderspy.

The researchers said they had contacted Intel about their findings in February, with the tech giant confirming the existence of vulnerabilities in Thunderbolt. A remedy offered by the company included a security mechanism known as Kernel DMA Protection that protects computers from the Thunderspy vulnerabilities.

However, Kernel DMA Protection has only been available since 2019, and only on a limited number of desktop and laptops PCs. Many computers made before 2019 are incompatible, leaving them open to the vulnerability.

Speaking of his findings, Ruytenberg said that he was surprised to discover that “there was essentially nothing resembling modern cryptography” in Thunderbolt. “The little I found I could easily break or bypass,” he said.

In addition to downloading a tool developed by the researchers to see if your device is affected, Ruytenberg advised all PC users to disable Thunderbolt completely and not leave any system with the port enabled unattended.

Vulnerability ‘is not new’

Responding to the claims, Intel published a blog post stating that the vulnerability “is not new”, contrary to what the researchers have said.

“For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorised physical access to computers,” Intel said.

On its own website, the researchers said of Intel’s stance: “Despite our repeated efforts, the rationale to Intel’s decision not to mitigate the Thunderspy vulnerabilities on in-market systems remains unknown.

“Given the nature of Thunderspy, however, we believe it would be reasonable to assume these cannot be fixed and require a silicon redesign.”

The researchers added that Apple MacOS users may be “partially affected” by Thunderspy.

Colm Gorey was a senior journalist with Silicon Republic