A vulnerability has been discovered effecting all Thunderbolt versions and devices manufactured prior to 2019 dubbed “Thunderspy”. The attack must be executed physically on the device, but if performed, can allow an attacker to access the contents of a locked device within minutes regardless if the device is locked or encrypted. The attack is also stealthy leaving no trace of it being performed.
On the website of the research report, Windows and Linuxs users may download “Spycheck” to confirm if their device is vulnerable or not: https://thunderspy.io/#intro
If you intend to use Thunderbolt connectivity, it is strongly recommend to:
* Connect only your own Thunderbolt peripherals. Never lend them to anybody.
* Avoid leaving your system unattended while powered on, even when screenlocked.
* Avoid leaving your Thunderbolt peripherals unattended.
* Ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays.
* Consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).
If you do not intend to use Thunderbolt, it is strongly recommend to:
* Disable the Thunderbolt controller entirely in UEFI (BIOS). Please note that this renders all Thunderbolt ports inoperable, including USB and DisplayPort connectivity. However, USB-C charging will most likely remain functioning.
Some systems exclusively provide Thunderbolt 3 ports for external connectivity, in which case the latter mitigation may not be practically feasible. For these systems, we recommend following the former recommendations on using Thunderbolt connectivity instead.
Additionally, organizations should have devices enrolled in Remote Device Management to provide the ability to remote wipe a device if lost or stolen to prevent data from landing in the hands of attackers.