Recently, researchers demonstrated an undetectable and rapid hardware attack called Thunderspy which easily bypasses Intel’s Thunderbolt security features and allows an attacker to copy memory from a locked and encrypted PC. Microsoft today explained that Secured-core PCs are not affected by Thunderspy.
Here’s how Secured-core PCs offer protection against Thunderspy:
- Secured-core PCs use a defense-in-depth strategy that leverage features like Windows Defender System Guard and virtualization-based security (VBS) to mitigate risk across multiple areas, delivering comprehensive protection against attacks like Thunderspy.
- Secured-core PCs ship with hardware and firmware that support Kernel DMA protection, which is enabled by default in the Windows OS. Kernel DMA protection relies on the Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless an authorized user is signed in and the screen is unlocked.
- Secured-core PCs ship with hypervisor protected code integrity (HVCI) enabled by default. HVCI utilizes the hypervisor to enable VBS and isolate the code integrity subsystem that verifies that all kernel code in Windows is signed from the normal kernel. In addition to isolating the checks, HVCI also ensures that kernel code cannot be both writable and executable, ensuring that unverified code does not execute.
Microsoft first announced Secured-core PCs in 2019. These are the most secure Windows 10 devices out-of-the-box with integrated hardware, firmware, software, and identity protection. Windows OEMs have to meet the strict security requirements listed out by Microsoft to get this certification. These new Secured-core PCs are targeted towards people who work in the most data-sensitive industries such as government, financial services, and healthcare.