Scared of Thunderspy?
Of course: every new set of vulnerabilities deserves security practitioners' attention. Techies will want to understand and perhaps explore "Thunderspy". Computer bus designers must take note to avoid or at least mitigate Thunderspy in their designs.
But must you (and I) mere users be frightened of ThunderSpy? I think ThunderSpy doesn't much change the existing and already worrisome computing mine field, if at all.
"[T]he Thunderspy attack, one would need physical access to the device...and only involves use of a Thunderbolt-equipped computer, a screwdriver and some portable hardware." (URL reference, at end)
In plain words: don't let your computer out of your control. You knew that already, right? Thunderspy requires a few minutes of access plus a bit of extra hardware. Do you think you'd notice if a stranger was attaching odd-looking hardware to your computer?
If you've got serious secrets on your Thunderbolt capable computing device, don't let the device get out of your control. At a cafe (should we ever sit in one again?), don't head to the loo without your machine! I never do.
Here's the thing: an attacker doesn't need a fancy bit of thunderbolt probing hardware to get around your password lock and hard disk encryption (you always lock your screen and encrypt your disk, yes?) USB stick attacks that circumvent OS security controls have been around for years. In fact, Don't Plug Into that convenient Public USB Charger (you knew that, too, right?) "No, you can't put your USB thumb drive into my computer for just a second."
Every user should know that any application that you run has access to your encrypted hard drive data. That's because the operating system (OS), be it Windows, Linux, Mac, etc., decrypts the hard drive transparently for every application the logged in user runs. That's true whether the user has installed the app or it's been run from a USB stick (or thunderbolt device).
Consider the panoply of WiFi attacks or public WiFi's under the control of an attacker which at the very least allow attacker access to your communications (if not control of these). VPN? Check.
The technically interesting thing about Thunderspy is that it gains control of one of the main, internal data exchanges in the computer, the PCIe bus. What that means is that Thunderspy gets around all protections provided by the OS. OS and bus designers, please take note. That "take note"is clearly spelled out in the discoverer's statement given at the vulnerability site (URL below).
Research like Thunderspy helps us to design more secure systems. I believe that such research performs a critically required feedback function.
Still, ThunderSpy hasn't, in my professional opinion, made our world particularly more dangerous than it already is. It's already bloody treacherous.
As near as I can tell (without having read the paper, just news reports and the Thunderspy site), Thunderspy supplies some new avenues around existing controls. From an attacker's view, ThunderSpy appears to duplicate results obtained from other existing, well-understood attack methods.
The upshot? Be careful. Be suspicious.
Scared Of ThunderSpy? Not especially. Instead, be wary, period.
Brook S.E. Schoenfield, author, Secrets Of A Cyber Security Architect and Securing Systems
https://thunderspy.io
https://threatpost.com/millions-thunderbolt-devices-thunderspy-attack/155620/