Spycheck for Linux
Spycheck for Linux is a Python script that verifies whether your system is vulnerable to the Thunderspy attacks as detailed on thunderspy.io. If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system.
Spycheck for Linux supports:
- Linux kernel 3.16 and later
- Python 3.4 and later
- All Thunderbolt 2 and 3 host controllers
- PCs as well as Apple Mac systems running Linux (Bootcamp)
Spycheck works independently of the
thunderbolt kernel module, and will therefore function even if your kernel blacklists or does not provide this module.
This tool requires root privileges to generate an accurate report. To verify whether your system is vulnerable to Thunderspy, simply run the script as follows:
$ sudo python3 spycheck.py
When running Spycheck, you will be asked to identify the ports on your system. If you indicate your system provides Thunderbolt ports, the tool will attempt to detect Thunderbolt hardware and assess whether your system is vulnerable to Thunderspy.
Welcome to Spycheck. This tool will verify whether your system is vulnerable to the Thunderspy attacks. Please identify the ports on your system. Does your system provide any USB-C or Mini-DP ports? [y/n] y Is there a lightning symbol printed alongside any of these ports? [y/n] y Enumerating, please wait... Summary: System is Vulnerable Your system features a Thunderbolt 3 controller. No fix is available. For recommendations on how to protect your system, please refer to https://thunderspy.io/#protections-against-thunderspy OS version: Linux kernel 5.3.0-42-generic Kernel DMA Protection: No DMAR table System vendor: HP Product name: ZBook 15 G4 Thunderbolt controller #0: JHL6540 Thunderbolt 3 NHI (C step) [Alpine Ridge 4C 2016] Generation: Thunderbolt 3 Port number: 2
Spycheck optionally supports the following commands:
usage: spycheck.py [-h] [--version] [-v] [-y] [-o OUTPUT] Spycheck for Linux optional arguments: -h, --help show this help message and exit --version show program's version number and exit -v, --verbose enable verbose output -y, --yes disable interactive mode; assume user confirms presence of Thunderbolt ports -o OUTPUT, --output OUTPUT export report to JSON-formatted file
Questions and Answers
While Spycheck will work without root privileges, it may not be able to generate an accurate report. Root privileges are required to:
- Read the DMAR table from ACPI, to get Kernel DMA Protection state
- Read DMI, to determine whether the system is an Apple Mac
- Read and write WMI, to set the Thunderbolt controller power state if it’s running in power saving mode
I don’t have any Thunderbolt devices. Will Spycheck still work?
On some systems, the Thunderbolt controller may enter power saving mode when no Thunderbolt devices are attached. In this case, Spycheck will attempt to enable power using the WMI Thunderbolt driver. If your system requires disabling power saving mode, and you don’t have any Thunderbolt devices to connect, please ensure to run a kernel that ships the former driver (4.15 or later).
Can I run Spycheck as part of my scripts?
Yes. Simply pass
-y to disable interactive mode. To export the report to a JSON-formatted file as well, use
-y -o FILE.
I would prefer checking my system manually. How can I do this?
Please refer to thunderspy.io for instructions on how to manually check whether your system is vulnerable.
See the LICENSE file.