Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks

A researcher has disclosed the details of a new attack method that targets devices with a Thunderbolt port, allowing malicious actors to access a protected computer through an evil maid attack in under 5 minutes.

A researcher has disclosed the details of a new attack method that targets devices with a Thunderbolt port, allowing malicious actors to access a protected computer through an evil maid attack in under 5 minutes.

The new attack method, dubbed Thunderspy, was discovered by Björn Ruytenberg of the Eindhoven University of Technology in the Netherlands. The researcher has discovered a total of 7 vulnerabilities related to improper firmware verification, weak device authentication, the use of unauthenticated device metadata, downgrade attacks, unauthenticated controller configurations, SPI flash interface issues, and the lack of Thunderbolt security when using Boot Camp, the tool that allows users to install Windows on Apple computers.


Thunderbolt is the hardware interface created by Intel and Apple for connecting peripheral devices to a computer. Millions of laptops and desktop computers with a Thunderbolt port could be vulnerable to Thunderspy attacks.

In one attack demo, Ruytenberg showed how an attacker with physical access to a locked laptop — the device requires the user to enter the Windows password in order to access it — could bypass authentication and gain access to everything stored on the device in less than 5 minutes.

The attack involved opening the device’s back cover, connecting a hacking device called a Bus Pirate to the SPI flash interface associated with the Thunderbolt controller firmware, connecting the Bus Pirate to the attacker’s laptop, copying the Thunderbolt firmware using a tool called Flashrom, modifying the Thunderbolt firmware to disable all Thunderbolt security, and writing it back to the targeted device. The attacker then connects a Thunderbolt-based direct memory access (DMA) attack device running PCILeech to the targeted PC, and uses it to load a kernel module that allows them to bypass the Windows login screen.

In a second demo, the researcher showed how an attacker could exploit some of the Thunderspy vulnerabilities to permanently disable all Thunderbolt security and block users from conducting firmware updates.

“Thunderspy is stealth, meaning that you cannot find any traces of the attack,” Ruytenberg explained on a dedicated Thunderspy website. “It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption.”Thunderspy

According to Ruytenberg, all devices made since 2011 are vulnerable to attacks if they have a Thunderbolt port — this includes USB-C and Mini DisplayPort ports with a lightning symbol next to them. Some newer devices, shipped since 2019, may include Kernel DMA Protection, which mitigates some of the Thunderspy vulnerabilities. The researcher has identified support for this protection on some newer HP EliteBook and ZBook, and Lenovo ThinkPad and Yoga devices.

Apple devices are only partially affected by the vulnerabilities, mainly if they run Linux or Windows installed through the Boot Camp utility.

Ruytenberg warned that the Thunderspy vulnerabilities not mitigated by Kernel DMA Protection can expose devices to attacks similar to the one known as BadUSB.

Six of the Thunderspy vulnerabilities were reported to Intel and the one affecting Boot Camp was reported to Apple. Intel told the researcher that it had been aware of three of the issues and that it would not be providing any mitigations beyond Kernel DMA Protection. The chipmaker also said it would not be releasing public security advisories or assigning CVE identifiers to the flaws. SecurityWeek has reached out to Intel and will update this article if the company provides comments or clarifications.

In addition to a research paper containing technical details, Ruytenberg has made available a free and open source tool named Spycheck that tells users whether their systems are vulnerable to Thunderspy, and provides recommendations on how to protect their systems against attacks.

Last year, researchers demonstrated Thunderclap, an attack method that can allow hackers to take control of a computer and access sensitive data by connecting a specially crafted device to the target’s Thunderbolt port.

UPDATE: Intel has published a blog post on Thunderspy and provided SecurityWeek the following statement:

“This attack could not be successfully demonstrated on Kernel DMA protection enabled systems. As always, we encourage everyone to follow good security practices, including preventing unauthorized physical access to computers.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet