May 16, 2020

How to Protect Your DataLocker Against Thunderspy Attacks

Thunderspy allows for evil maid type attacks against a host computer. Evil maid attacks require physical access to the victim’s machine and usually enough time to do something conspicuous such as disassembly. A successful attack will give the intruder direct memory access to the machine which gives them the ability to compromise all local security controls of that computer. This includes removing restrictions on any currently unlocked encrypted drives.

The most likely scenario would be to gain access to the system boot drive, even if full disk encryption like BitLocker is in use. This is a generic attack against the host computer, which then can be used to compromise anything trusted by said computer. For example, if you were signed into your bank website, this attack would allow an intruder access to your bank information. The same concept is true if you were currently connected to your unlocked DataLocker drive.

Just like you should log out of your bank account, you should also lock your DataLocker drive when not in use. DataLocker has an inactivity autolock feature which is useful when you forget to log out before you walk away. Similar to how your bank logs you off after certain minutes of inactivity, so can your DataLocker drive. The DataLocker DL3 and Sentry K300 both have firmware level settings to lock after a set amount of inactivity, as well as all devices that are managed by SafeConsole. Our drives will also lock imminently if the host computer is put to sleep, which is the likely state a computer will be in during a Thunderspy attack. Once a DataLocker drive is locked and disconnected from a computer, then Thunderspy cannot directly target data on the encrypted drive.

Thunderspy takes advantage of Thunderbolts advanced feature set using low-level physical access, it is only fitting it is defeated by a simplistic approach of disconnecting the drive when not in use. It’s these fundamental security concepts where DataLocker strives to secure your data. This attack shows that storing data on the boot drive, even if it is encrypted still poses potential security issues. You don’t unlock your safe every time you get home and you shouldn’t unlock the vault of your most important documents every time you turn on your computer. It is times like these that show simply isolating your data into different silos, such as putting the most sensitive data on dedicated hardware-encrypted drives allows easier separation from generic low-level attacks like this.