Because they need to open up the victim's device to read its TB3 configuration directly off the SPI flash that holds it; that's how they get the malicious device to work in the first place.

Many smaller devices do not require tools and are trivial to clone. Any of the victim devices will do. It's not only useful to attack a target computer.

Device identifiers and capabilities are not bound to the security level secret values. Drop off a pre-cloned video adapter in a conference room. If it is used and as a result authorized by a targeted computer at a later moment in time, it's game over. An attacker may now perform DMA operations unless the system has kDMA protection enabled. This requires kDMA support in the BIOS, IOMMU hardware, and in the Operating System.

The focus on DMA is however missing a very important observation about security levels from the research: There is a lot of attack surface when you're able to plug in a PCI(e) device as easily as a USB disk.

You almost certainly know more about this than me, but hasn't macOS been breaking this attack --- malicious PCIE DMA --- for several years now with its IOMMU configuration? Ivan Krstic has a whole series of BH slides about this, and in the context of T2.

The point about attacking trusted devices and pre-cloning devices is well taken.

Yes. With MacOS and Thunderbolt 3 devices on Apple hardware the IOMMU is used as expected. This should handle DMA attacks when booted into MacOS.

An important caveat: the IOMMU alone will not handle every other issue that comes with malicious PCI(e) devices.

That seems a bit counter to "Thunderspy is stealth, meaning that you cannot find any traces of the attack". No traces on the computer sure, but breaking apart my screen might be possible to see.

Unless they opened it before you even receive the device.