Microsoft: Worried about Thunderbolt attacks? Get a Windows 10 Secured-Core PC
Microsoft has outlined how its new breed of Windows 10 Secured-Core PCs can help companies mitigate the threat of the recently disclosed Thunderspy attacks on devices with a Thunderbolt interface.
Microsoft has worked with OEMs to create a hardened line of Windows 10 laptops under the Secured-Core brand, such as its own Surface Pro X, the HP Elite Dragonfly, the Dell Latitude 7400 convertible and Lenovo ThinkPad X1 Yoga 4th generation.
Most Secured-Core PCs ship with Thunderbolt, but no Surface device does because Microsoft had concerns over Thunderbolt’s direct access to memory.
Nonetheless, Windows 10 Secured-Core PCs do have security features that protect it from hard-to-block kernel malware, such as the RobbinHood ransomware, which used a properly signed but malicious motherboard driver to disable security products from the kernel.
All Secured-Core PCs, which Microsoft announced in October, ship with the security feature kernel Direct Memory Access (DMA) protection for Thunderbolt 3 to protect against attacks requiring physical access, such as Thunderspy, the attack detailed this week by Dutch researcher Björn Ruytenberg. The attack is serious because an attacker can steal data even the device is password protected and data is encrypted.
Kernel DMA protection is the key mitigation Intel outlined in its response to the Thunderspy attacks, but at present not many PCs have the feature enabled. Besides that, Intel advised users not leave their machine unattended.
Ruytenberg said Thunderspy completely broke Intel’s Thunderbolt peripheral whitelisting security feature, and allowed an attacker to create malicious Thunderbolt device identities to read and copy secrets from memory and encrypted drives.
Microsoft has outlined how multiple security features of Secured-Core PCs can thwart each of the four steps required by the Thunderspy attack.
Attackers first plug a serial peripheral interface (SPI) flash programmer called Bus Pirate into the SPI flash of the target device, which gives access to the Thunderbolt controller firmware and allows them to copy it to another device.
In steps two and three, Thunderspy’s Thunderbolt Controller Firmware Patcher (tcfp) disables Thunderbolt’s firmware security mode and then writes back a modified and insecure copy of Thunderbolt firmware to the SPI flash of the target device.
The fourth step involves connecting a Thunderbolt-based attack device to the target and using a tool called PCILeech to load a kernel module that bypasses the Windows sign-in screen.
“The result is that an attacker can access a device without knowing the sign-in password for the device,” explains Nazmus Sakib, a senior program lead on Microsoft’s hardware security in Azure’s Core Operating Systems and Intelligent Edge team.
“This means that even if a device was powered off or locked by the user, someone that could get physical access to the device in the time it takes to run the Thunderspy process could sign in and exfiltrate data from the system or install malicious software.”
Sakib says kernel DMA protection is enabled by default on Secured-Core PCs, and this feature prevents an attacker accessing the Thunderbolt port unless the attack has gained the victim’s password. This doesn’t mean Secured-Core PCs are immune to Thunderspy, but Sakib argues they make it significantly more difficult for the attacker.
The other main mitigation against Thunderspy is hypervisor-protected code integrity (HVCI), which again is on by default.
“HVCI utilizes the hypervisor to enable VBS and isolate the code integrity subsystem that verifies that all kernel code in Windows is signed from the normal kernel. In addition to isolating the checks, HVCI also ensures that kernel code cannot be both writable and executable, ensuring that unverified code does not execute,” said Sakib.
“HVCI helps to ensure that malicious kernel modules like the one used in Step 4 of the Thunderspy attack cannot execute easily as the kernel module would need to be validly signed, not revoked, and not rely on overwriting executable kernel code.”