Microsoft says Surface devices don’t have Thunderbolt due to security concerns

Photo by Amelia Holowaty Krales / The Verge

Microsoft has explained why its range of Surface laptops and tablets don’t have Thunderbolt ports or removable RAM: security concerns. That detail was revealed in a Surface engineering webinar leaked on Twitter by WalkingCat, wherein a Microsoft employee lays out all the engineering involved in the company’s latest devices.

“No Surface device has Thunderbolt. Why not? Because that’s a direct memory access port,” explains the Microsoft employee. “If you have a well prepared stick that you can put into the direct memory access port, then you can access the full device in memory and all data that’s stored in memory. We don’t believe, at this moment, that Thunderbolt can deliver the security that’s really needed from the devices.”

The Verge has verified that the presentation is genuine, and that the Microsoft employee is a Surface technology specialist based in the Netherlands that has worked at the company for more than 10 years. In the hour-long presentation, it’s also revealed that Microsoft’s Surface devices don’t have removable RAM due to similar security concerns.

“If you’d be able to upgrade the memory... what you can easily do is freeze the memory with liquid nitrogen, get the memory out, and then put it in a specific reader... and then you can access all the data that was loaded into memory,” explains the Microsoft employee. “That’s why on all Surface devices the memory is not physically upgradeable, because of security. We want to make sure the memory can not be tampered with.”

We asked Microsoft for a comment on the presentation, but the company says it has nothing to share about it. Other similar business-focused laptops from Lenovo, Dell, and HP have used Thunderbolt for years, but Surface devices have always been an outlier. Microsoft has also built in Kernel-level protection for Thunderbolt 3 into Windows 10.

It’s surprising to hear Microsoft blame security for the lack of Thunderbolt ports rather than incompatibility with its own Surface Connector. Microsoft’s propriety charging connector doesn’t support Thunderbolt, and its high data transfer speeds, but it does offer the uniqueness of data transfer, power delivery, and video support all in a single cable with magnetic positioning.

Comments

what you can easily do is freeze the memory with liquid nitrogen, get the memory out, and then put it in a specific reader, and then you can access all the data that was loaded into memory

Guess this has unfortunately becomes the go-to answer for non-upgradeable RAM going forward.

I feel so insecure on my MBP now

"easily"

I’d love to see someone actually do this.

If one has the expertise and tools to do this (basically secret services and a few security firms), I wonder if the non-removable memory is really a problem ?

the expertise and tools to do this (basically secret services and a few security firms)

Five dollars to buy a can of freeze spray from the store and an empty ram slot

Not exactly secret service stuff

What, you don’t have a vat of liquid nitrogen just laying around in your basement??

Under the kitchen sink because I use it at least once a week.

You don’t stick your hand in it daily? Liedenfrost effect is awesome. Get yourself a vat.

It doesn’t take liquid nitrogen, just a $5 can of freeze spray

Yea, I was about to argue with BlackToe and I looked it up to confirm and found out he was right.

While liquid nitrogen is more reliable in getting the RAM cold enough, a can of freeze spray is suffiicent to get it cold enough (but just barely, so with the $5 can you risk not chilling it enough and losing the data).

I do but it’s currently occupied by a hitchhiker.

You can use a can of compressed air and turn it upside down then spray to freeze the ram.

You don’t need liquid nitrogen. Either way i’d rather be able to upgrade my ram myself.

I get it, but it’s kind of an extreme response. (And I wonder if this is the real reason we don’t have Thunderbolt or upgradeable RAM… Seems like more of a positive side effect that you could use as justification.)

I’m not sure how other systems work, but I’ve used lots of Dell systems with Thunderbolt ports, and as long as you don’t go into the BIOS setup and loosen up the security settings, you are required to approve any connected device before it gets DMA access. A little bit annoying (if you ever plug into a different TB dock then you have to approve it before it works) but a good security trade-off.

The memory thing… yeah, someone "could" knock me over the head, steal my laptop, freeze the RAM, and steal my encryption keys… But I think that the chances of that happening are small enough that I’d trade off the risk for the ability to upgrade the RAM with whatever modules I choose, thanks

Also, let’s be honest, if they knock you over your head and take your laptop…. They already have your laptop. Why go through all the cloak and dagger freezing the ram to set the bits before extracting the DIMM?

I think the idea is to keep the modules from losing the data when they are removed, not cloak and dagger.

Anyway, seems absurd. Microsoft is hardly a beacon of security, why would they take such extreme measures on the hardware side?

Their answer would be that your laptop is likely locked and the storage encrypted. A sleeping laptop still could have unencrypted data in RAM that would be accessible through that liquid nitrogen method. Given that the Surface has never been marketed as a high grade security device, this seems like justification after the fact. 99.99999% of consumers of the device are not going to be a target of this kind of thing but would benefit from Thunderbolt and upgradable RAM.

While many people could benefit from upgradeable RAM (to save money), let’s be honest here on the prospects of Thunderbolt – that’s the kind of feature that likely only benefits 0.01% of users in the first place.

Granted, Surface devices are more likely to target that extremely small niche of power users who could benefit from Thunderbolt, but it’s still an essentially non-existent group in terms of the broader market. It’s not just the added cost of Thunderbolt on the device, most people aren’t going to have the $1500 TB compatible monitor, or $1000 TB RAID enclosures.

Unless they deal in Video editing, VFX, and motion design… which the Surface line does push for. While the numbers will look niche, that is a market Microsoft does want.

While I agree with you (and specifically said as much in my post), I would pretty surprised if many people serious enough about video / VFX to use and require Thunderbolt would be doing much work on mobile computers like the Surface line in the first place. This seems like an area where every single $ spent on building a desktop workstation will be repaid in spades on productivity, given just how processor and I/O intensive that industry is.

Even the Surface Studio still only uses outdated mobile CPUs and GPUs, so it’s really more targeted at graphic designers / illustrators / art directors / 2D animators…people doing lighter-duty work where the big high quality pen-enabled display is most important.

I also agree with what you are saying — just highlighting that thunderbolt raids are actually quite popular in that space which is larger than many assume, and also a creative avenue Microsoft would want to increase market share in. The Surface Pro seems like it would make a Premiere on-the-go device for someone who is already in the Windows ecosystem.

I think you’re right… and even if someone was that eager to get your encryption keys, the extra hassle of needing to desolder the ram first wouldn’t be the make or break point for the whole idea to be feasible, either.

AFAIK, Thunderbolt is licensed, so you’re required to pay a fee to Intel if you want to use this port in your device. Microsoft obviously doesn’t want that.

Has been royalty free since Thunderbolt 3.

But it only becomes royalty-free in TB4 iirc.

Thunderbolt 3, also the free license has been in effect for a few years already: https://bit-tech.net/news/tech/peripherals/intel-thunderbolt-3-licensing/1/

View All Comments
Back to top ↑