Ortega said Thunderspy does identify several weaknesses that represent real flaws in the Thunderbolt system, but he doesn’t consider the weaknesses significant. He noted that under the Common Vulnerability Scoring System, the weaknesses are rated a relatively low 7, an indication, he said, that others don’t believe the flaws are severe, either.
Critics also note that over the past decade there have been multiple attacks that target weaknesses in Thunderbolt to achieve largely the same result. Examples include this one and this one. One of the more recent ones is known as Thunderclap.
The reception to Thunderspy on social media has been even more scathing. A small sampling includes pretty much every tweet made over the past 48 hours from Pedro Vilaça, among the best-known macOS reverse engineers and hackers.
While the chorus of criticism has been nothing short of extreme, plenty of security professionals say Thunderspy is an important attack that should be taken seriously.
Intel assurances torn asunder
“People arguing that physical access to a computer means you’ve lost: why do you think laptops should not be at least as resistant to physical attack as an iPhone?” Matthew Garrett wrote on Twitter. In the same thread, fellow security researcher Saleem Rashid added: “ignoring the “physical access = game over” crowd, a practical concern is that you can open a laptop and make drastic hardware changes in a way you can’t with a smartphone.”
ignoring the “physical access = game over” crowd, a practical concern is that you can open a laptop and make drastic hardware changes in a way you can’t with a smartphone.. 🤔
— Saleem Rashid 🦀 (@saleemrash1d) May 11, 2020
Another researcher who has given Thunderspy his qualified approval is security researcher Kenn White. He was clear that the attack represents only an “incremental advance” in previous Thunderbolt evil maid attacks, but he said it’s nonetheless important. He summarized his assessment of the findings this way:
It’s interesting to many in the community because it bypasses Intel’s most recent mitigations and is clear proof that the physical security model for Thunderbolt, for millions of devices, is broken.
People who say “there are much easier ways to compromise a device” are correct, but that’s not the point. Ignoring for the moment any undue exaggeration of impact, this is an incremental improvement in our understanding of complex interdependencies. Maybe not unexpected in principle by practitioners in this specialized space, but an incremental research advance nonetheless.
If a sufficiently resourced attacker can tamper with physical hardware of the victim, particularly for commodity x86 Windows systems, in general, yes, that system can be compromised. Specifically though with Thunderbolt, Intel makes specific anti-tampering security guarantees in their most recent firmware/software which have been bypassed here.
Meanwhile, White said, both Apple and Google have managed to implement settings that block many Thunderspy type physical DMA attacks, including USB-C, from working against Macs and Pixelbooks, respectively. “Apple and Google device engineers seem to have anticipated this issue and have stronger IOMMU defaults and therefore expose their users to less risk.”