Cybersecurity company ESET has published guidance on how to protect against cyberattacks targeting Apple’s Thunderbolt hardware.

Thunderbolt is a hardware interface developed by Intel and Apple that allows external secondary devices to be connected to a computer. Researchers have discovered an attack method that targets this interface.

Named Thunderspy, the attack vector was discovered by computer security researcher Björn Ruytenberg in May 2020. Using Thunderspy, attackers can change Thunderbolt’s security measures, allowing them to steal data from the computer even if disk encryption is used or the computer is locked.

“While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim,” points out Aryeh Goretsky, ESET Distinguished Researcher.

Although Thunderbolt-based attacks are rare, ESET has set out practical tips to defend against Thunderspy in an article called “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe”.

Goretsky explains that there are two types of attack targeting Thunderbolt, the first being cloning device identities that are trusted by the target computer, and the second being permanently disabling the security.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“The cloning attack is like thieves who steal a key and copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of bricking a chip. In this case, permanently disabling Thunderbolt’s security levels and write-protecting the changes so they cannot be undone.”

These types of attack are sometimes called “evil maid attacks” as they require the attacker to interact with the device in person. Because of this, Thunderspy attacks usually only affect high-value targets, and may be carried out by nation-state intelligence or law enforcement agencies.

In order to protect against this type of physical attack, Goretsky said:

“First, prevent any unauthorised access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure.

“Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy.”

Goretsky also recommends users install security software that can scan the computer’s UEFI firmware, where Thunderbolt security information is stored.


Read more: Nordpass: Ten billion user credentials left exposed in unsecured databases.