What you need to know
- Microsoft explains how Secured-core PCs mitigate attacks like Thunderspy in a new post.
- Thunderspy utilizes the Thunderbolt port to affect direct access memory.
- Secure-cored PCs have Kernel direct access memory protection to protect from Thunderspy and similar attacks.
Microsoft explains how Secured-core PCs help prevent attacks like Thunderspy from being able to access PCs in a new post. Thunderspy was recently revealed by a team of researchers at Eindhoven University of Technology. The attack method utilizes the Thunderbolt port to gain access to a device's memory. It requires physical access to a device, but it can work even if a device is locked and has hard disk encryption.
Microsoft provides a breakdown of how Thunderspy works to give context to the attack and how Secured-core PCs combat it. In short, an attacker uses a serial peripheral interface flash programmer through a devices Thunderbolt connection. This step gives an attacker access to the PC's Thunderbolt controller firmware. The attacker can then copy and patch the Thunderbolt controller firmware and put the patched version back onto the device. The end result is that an attacker gains access to a device and its data without needing a password.
Secured-core PCs support Kernel direct access memory protection. This type of protection relies on the Input/output Memory Management Unit, allowing it to block external peripherals from gaining altering direct access memory unless a device is signed in and the screen is unlocked. A video from Microsoft Ignite 2019 explains this in more detail.
While these protections don't make a device impenetrable, they do greatly reduce the ease of attacks, according to Microsoft. Microsoft explains in the post:
This means that even if an attacker was able to copy a malicious Thunderbolt firmware to a device, the Kernel DMA protection on a Secured-core PC would prevent any accesses over the Thunderbolt port unless the attacker gains the user's password in addition to being in physical possession of the device, significantly raising the degree of difficulty for the attacker.
Secured-core PCs also have hypervisor protected code integrity, which ensures that kernel code cannot be writable and executable.
While these protections make it more difficult for an attacker to gain access to a device, nothing makes a device completely impervious to attacks. Microsoft wisely uses words like "mitigate" rather than "eliminate" when referring to lowering risk factors. On a related note leaked video recently showed that Microsoft's Surface devices don't have Thunderbolt ports due to security concerns.
