CAPEC-665: Exploitation of Thunderbolt Protection Flaws

Overview

CAPEC-665 (Exploitation of Thunderbolt Protection Flaws) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Survey physical victim environment and potential Thunderbolt system targets] The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.
Step 2
Explore
[Evaluate the target system and its Thunderbolt interface] The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack.
Step 1
Experiment
[Obtain and/or clone firmware image] The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash.
- Disassemble victim and/or adversary device enclosure with basic tools to gain access to Thunderbolt controller SPI flash by connecting adversary SPI programmer.
- Adversary connects SPI programmer to adversary-controlled Thunderbolt enabled device to obtain/clone victim thunderbolt controller firmware image through tools/scripts.
- Clone firmware image with SPI programmer and tools/scripts on adversary-controlled device.
Step 2
Experiment
[Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information] The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version.
- Utilize pre-crafted tools/scripts to parse and locate desired firmware data and modify it.
- Locate DROM (Device Read Only Memory) data structure section and calculate/determine appropriate offset to replicate victim device UUID.
- Locate ACL (Access Control List) data structure and calculate/determine appropriate offsets to identify victim device UUID.
- Locate data structure containing challenge-response key information between appropriate offsets.
Step 3
Experiment
[Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary)] The adversary overrides the target device's Thunderbolt Security Level to "None" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware.
- The adversary-controlled Thunderbolt device, connected to SPI programmer and victim device via Thunderbolt ports, is utilized to execute commands within tools/scripts to disable SPI flash protections, modify Thunderbolt Security Level, and enable malicious SPI flash protections.
Step 4
Experiment
[Modify/replace victim Thunderbolt firmware image] The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash.
Step 1
Exploit
[Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions] The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device.
- Observe victim device identify adversary device as the victim device and enables PCIe tunneling.
- Resume victim device from sleep, connect adversary-controlled device and observe security is disabled and Thunderbolt connectivity is restored with PCIe tunneling being enabled.
- Observe that in UEFI or Thunderbolt Management Tool/UI that the Security Level does not match adversary modified Security Level of "None" (SL0)
- Observe after installation of Firmware update that within Thunderbolt Management UI the "NVM version" is unchanged/same prior to the prompt of successful Firmware update/installation.
Step 2
Exploit
[Exfiltration of desired data from victim device to adversary device] Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.

What the attacker needs

Prerequisites

The adversary needs at least a few minutes of physical access to a system with an open Thunderbolt port, version 3 or lower, and an external thunderbolt device controlled by the adversary with maliciously crafted software and firmware, via an SPI Programming device, to exploit weaknesses in security protections.

Skills required

High skill: Detailed knowledge on various system motherboards, PCI Express Domain, SPI, and Thunderbolt Protocol in order to interface with internal system components via external devices.
High skill: Detailed knowledge on OS/Kernel memory address space, Direct Memory Access (DMA) mapping, Input-Output Memory Management Units (IOMMUs), and vendor memory protections for data leakage.
High skill: Detailed knowledge on scripting and SPI programming in order to configure and modify Thunderbolt controller firmware and software configurations.

Resources required

SPI Programming device capable of modifying/configuring or replacing the firmware of Thunderbolt device stored on SPI Flash of target Thunderbolt controller, as well as modification/spoofing of adversary-controlled Thunderbolt controller.
Precrafted scripts/tools capable of implementing the modification and replacement of Thunderbolt Firmware.
Thunderbolt-enabled computing device capable of interfacing with target Thunderbolt device and extracting/dumping data and memory contents of target device.

Consequences

What a successful CAPEC-665 attack can achieve.

Bypass Protection Mechanism

Affects: Access Control

Read Data

Affects: Confidentiality

Modify Data

Affects: Integrity

Execute Unauthorized Commands

Affects: Authorization

How to mitigate it

Defenses that reduce the risk of CAPEC-665.

Implementation: Kernel Direct Memory Access Protection
Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface
Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface
Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode
Configuration: Set Security Level to SL3 for Thunderbolt 2 system port
Configuration: Disable PCIe tunneling to set Security Level to SL3
Configuration: Disable Boot Camp upon MacOS systems

How to detect it

Indicators that this attack may be underway.

Windows Event logs may document the access of Thunderbolt port as a USB 3.0 event as well as any malicious actions taken upon target device as file system and memory events.

Examples

An adversary steals a password protected laptop that contains a Thunderbolt 3 enabled port, from a work environment. The adversary uses a screw driver to remove the back panel of the laptop and connects a SPI Programming device to the Thunderbolt Host Controller SPI Flash of the stolen victim device to interface with it on the adversary's own Thunderbolt enabled device via Thunderbolt cables. The SPI Programming device is utilized to execute scripts/tools from the adversary's own system to copy, parse, and modify the victim's Thunderbolt firmware stored on SPI Flash. The device UUID value is obtained, by computing the appropriate offset based upon Thunderbolt firmware version and the OS of victim device, from the DROM section of victim Thunderbolt host controller firmware image. The firmware image is written to adversary Thunderbolt host controller SPI flash to clone and spoof victim device identity. The adversary reboots the victim device, with the victim device identifying the Thunderbolt connection of the adversary's Thunderbolt device as itself and enables PCIe tunneling. The adversary finally transfers the hard drive and memory contents of victim device across Thunderbolt connection.

The CWE weaknesses that CAPEC-665 exploits.

How this attack relates to others in the CAPEC hierarchy.

Parent

CAPEC-276: Inter-component Protocol Manipulation

Peer

Can follow

CAPEC-390: Bypassing Physical Security

Terminology & mappings

Mapped taxonomies

ATTACK: Exploitation for Defensive Evasion (1211)
ATTACK: Pre-OS Boot: Component Firmware (1542.002)
ATTACK: Modify Authentication Process (1556)

Frequently asked questions

Common questions about CAPEC-665.

What is CAPEC-665?

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

How does a Exploitation of Thunderbolt Protection Flaws attack work?

It typically unfolds over 8 phases. It begins with: [Survey physical victim environment and potential Thunderbolt system targets] The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.

How do you prevent CAPEC-665?

Implementation: Kernel Direct Memory Access Protection

What weaknesses does CAPEC-665 target?

CAPEC-665 exploits 5 CWE weaknesses, including CWE-288 (Authentication Bypass Using an Alternate Path or Channel), CWE-345 (Insufficient Verification of Data Authenticity), CWE-353 (Missing Support for Integrity Check), CWE-862 (Missing Authorization).

How severe is CAPEC-665?

MITRE rates CAPEC-665 as Very High severity with low likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.