An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.
[Survey physical victim environment and potential Thunderbolt system targets] The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.
[Evaluate the target system and its Thunderbolt interface] The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack.
[Obtain and/or clone firmware image] The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash.
[Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information] The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version.
[Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary)] The adversary overrides the target device's Thunderbolt Security Level to "None" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware.
[Modify/replace victim Thunderbolt firmware image] The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash.
[Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions] The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device.
[Exfiltration of desired data from victim device to adversary device] Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.
Weakness Name | |
---|---|
Insufficient Verification of Data Authenticity The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
|
Missing Support for Integrity Check The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. |
|
Authentication Bypass Using an Alternate Path or Channel A product requires authentication, but the product has an alternate path or channel that does not require authentication. |
|
Initialization of a Resource with an Insecure Default The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. |
|
Missing Authorization The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Name | Organization | Date | Date Release |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation |
Name | Organization | Date | Comment |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings | |
CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |