Thunderspy PoC demo 1: Unlocking Windows PC in 5 minutes
May 11, 2020 01:12 · 380 words · 2 minute read
So what we have here is a Lenovo P1, which was purchased last year (2019). As you can see, it’s in sleep mode. Just checking, right here. Yes, it’s been locked. I don’t know the password and the password isn’t empty either, as you can see. So, that’s all good. What we’re going to do now is turning over the laptop, so that we can reach the backplate. And we unscrew the backplate. Right, there we go. So, now I’m going to attach my SPI programmer, which is a device called Bus Pirate. It allows me to interface with the SPI flash that is storing the Thunderbolt controller firmware.
01:36 - OK, so attaching the Bus Pirate to my attacker laptop. Now we’re going to use a tool called “flashrom”, to get the firmware from the SPI flash. Right, so now I have a dump. I’m going to feed that dump to a tool that I wrote, which is called Thunderbolt Controller Firmware Patcher. As you can see, apparently the Thunderbolt controller was set to Security Level 1. This is the default Security Level on all Thunderbolt laptops. And I’m patching it now to an insecure state. As you can see, it says SL0, which means all Thunderbolt security is disabled. Now we’re going to write back the firmware to the SPI flash. Now, this might take a bit, because flashrom will be trying various methods to program the SPI flash. As you can see, eventually it will succeed.
04:06 - OK, so now we’ve written our custom firmware to the SPI flash. We’re detaching the SPI programmer, and putting back the backplate onto the laptop. Turning over the laptop. And opening it up. As you can see, it is still up and running. We still cannot get into the laptop. And here, I’m attaching my Thunderbolt-based attacker device. Now what you see here is a device that will be attacking the laptop. We’re going to use that device with a tool called PCILeech. Here, I’m loading a kernel module into the memory of the laptop, which allows me to bypass the Windows lockscreen. So, let’s see if it has worked. We’re entering no password. And there we go. We can get into the laptop. Thank you for watching. .