Skip to Content Skip to footer


  • No Suggestions

Site Pages

Chevron Icon

Understanding the Thunderspy Exploit: How to Protect Your Thunderbolt™ Port


On 10 May 2020, Björn Ruytenberg from the Eindhoven University of Technology reported discovering a new vulnerability in PCs and devices that use a Thunderbolt™ port. The vulnerability affects millions of computers including Windows, Apple, and Linux systems, making use of the fast data transfer capabilities to execute an attack.

Hackers can gain access to your information using a security flaw in your Thunderbolt port even when the computer remains locked or you’ve encrypted your data. Due to the risks involved, we want to clarify the newly-discovered vulnerability, explain how you can protect yourself, and why you should take care of your device that uses a Thunderbolt port to connect to peripherals.

What is the Thunderspy Vulnerability

Thunderbolt ports provide extremely fast transfer speeds by using direct connections to your PC’s memory. Developed by Intel and Apple, the Thunderbolt controllers use PCI Express, USB-C, and DisplayPort communication lanes for lightning-fast transfer rates from your PC to your peripherals. This architecture model is what makes devices vulnerable to the Thunderspy exploit.

The new exploit is a variation of a Direct Memory Access (DMA) attack, where any expansion port with permission to access the system’s memory becomes vulnerable. Using these access permissions, hackers can steal data, track files, or run additional malicious code on your system. To be pulled off successfully, the Thunderbolt attack does require more sophistication than the Thunderclap exploit, for which most devices already received a security patch.

The Thunderclap Exploit

Discovered in 2016, the Thunderclap exploit allowed hackers to take control of PCs by physically accessing an unattended device. By plugging in a USB-C device that had malicious code preloaded, hackers could gain access to Thunderbolt-enabled PCs by exploiting the Operating System (OS) and hardware design.

What scared most researchers was the fact that the malicious code could hide in real peripherals. If you bought an infected device, you would never know you compromised your system. Connected devices would operate normally while also capturing and transmitting information to bad actors. To address these issues, users received warnings from device manufacturers and new patches improved security protocols whenever a Thunderbolt port communicated with the PC’s memory.

Moving Beyond Thunderclap to Thunderspy

As PCs could be attacked even in sleep mode and it would only require a few minutes to deploy Thunderclap, which was able to bypass locked screens, Microsoft, Apple, and Linux rolled out software patches which improved the security of older generation Thunderbolt ports.

Since the discovery and subsequent fix of the Thunderbolt’s cybersecurity vulnerabilities, researchers continued doing penetration testing on devices that use this technology. The Thunderspy exploit created by Ruytenberg is one of the first to succeed.

How Thunderspy Works

As the Thunderclap exploit received a patch, Thunderspy goes one step further and requires a bad actor to unscrew the backplate of the computer. What Ruytenberg showed was that a few minutes of unattended access to the PC could allow a hacker to reprogram the Thunderbolt firmware, leaving no trace that the device had been compromised.

 Analysts call this the “evil maid attack” because it could put specific systems at risk and pose a significant threat to individual targets. According to Ruytenberg’s video of the Thunderspy attack, it took just over two minutes to deploy the exploit, meaning any person left with a device for more than a few minutes could lead to a compromised system.

In the video, you can see Ruytenberg:

  • Put a password-locked laptop to sleep.
  • Unscrew the backplate of the computer.
  • Attach a spy-programmer from another laptop to a PC bus and communicate with the Thunderbolt port.
  • Change the Thunderbolt security setting to allow overwrite.
  • Upload (or flash) new firmware to the port.
  • Detach the spy-programmer and attach a Thunderbolt device to launch a Thunderclap exploit.
  • Use PCI Leach to install a new kernel in the memory of the laptop.
  • Access the laptop without entering any password.

Although this may seem overly complicated, for a dedicated criminal it’s easy to replicate. According to Ruytenberg, the only way to avoid this exploit is by disabling the Thunderbolt port completely.

What Intel is Saying

After Intel received notification of the vulnerability, they’ve since replied that computers with DMA protection enabled remain protected against the Thunderspy attack. The company also advises all users to follow good security practices at all times.

Some of the recommendations include:

  • Connect only Thunderbolt Peripherals to your device.
  • Keep all peripherals secure and avoid lending them to or borrowing from other people.
  • Never leave your system unattended when powered on.
  • Use hibernation (suspend-to-disk) settings or power devices off completely.
  • Avoid using the suspend-to-RAM (sleep mode) on your device.

Some systems (like those using macOS) remain unaffected by the vulnerability unless you’re also running Boot Camp on the device. To ensure you remain protected against Thunderspy and Thunderclap, follow all the latest security instructions and update your device firmware (if purchased before 2019).

An Added Layer of Security with Kensington’s LD5400T Thunderbolt 3 Dock with K-Fob™ Smart Lock Technology

As the cybercriminal will require access to the PC’s backplate, you can use Kensington’s LD5400T Thunderbolt 3 Dual 4K Dock to secure your PC while it remains unattended. The LD5400T provides you with the necessary physical security using next-gen electronic locking; supporting both single user and multi-user environments. As a docking station, it provides you with all the ports you’d expect in a top of the line Thunderbolt 3 dock while also providing you the security you deserve from the pioneer in physical device protection.


Features of the LD5400T docking station include:

  • Cross-platform Thunderbolt 3 connectivity with speeds up to 40Gbps (supporting devices up to 15” from HP, Dell, Lenovo, and more).
  • Support for up to Dual 4K @ 60Hz video.
  • Up to 85W of power delivery for rapid device charging.
  • Plug and play installation compatible with Windows 10 or macOS 10.12 and higher.
  • IT master access or single-user control with a Register and Retrieve program available.
  • Professional Locking Design with K-Fob™ Smart Lock Technology

Thunderbolt 3 remains one of the best connection technologies available due to its high transfer speeds and reliable communications. Although Thunderspy presents a risk to Thunderbolt devices, you can overcome the challenges by keeping your device patched with the latest updates while also increasing your physical security.

Using a docking station with an electronic key-fob can help you secure your device even when unattended. Additionally, always make sure you use the latest firmware for your PC, deploy strict device and BIOS/UEFI settings, and keep your Thunderbolt peripherals secure. You should also ensure that your device has the latest DMA protections enabled.

If you need to secure your device against the Thunderspy vulnerability or any other physical threat, you can view our laptop locking solutions. In addition, if you are looking for a solution to lock down your laptop, but don’t require an integrated docking station or if a cabled solution will suffice, you can trust in Kensington to address your physical device protection needs.