PDA

View Full Version : Need help destroying the thunderbolt port on air




bludsrevenge
May 18, 2013, 10:58 PM
I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/142622/forensics-vendor-warns-mac-os-x-filevault-vulnerable-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all



justperry
May 18, 2013, 11:08 PM
It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
It was accessing memory directly and this has been patched.

blueroom
May 18, 2013, 11:34 PM
Take a hammer to the SSD. Acid would work too.

Mrbobb
May 18, 2013, 11:47 PM
So what kind of illegal thing are you getting into? :cool:

simon48
May 19, 2013, 12:08 AM
You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.

bludsrevenge
May 19, 2013, 01:00 AM
It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
It was accessing memory directly and this has been patched.
I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
Does anyone know a way to destroy it?

justperry
May 19, 2013, 01:11 AM
I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
Does anyone know a way to destroy it?

You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

These are the ones I have in 10.8.3

AppleThunderboltDPAdapters.kext
AppleThunderboltEDMService.kext
AppleThunderboltNHI.kext
AppleThunderboltPCIAdapters.kext
AppleThunderboltUTDM.kext

I think the bolded one is the one which disables the port.

I Myself moved them out of the Extensions Folder for other reasons.
Everything still works.

You can move them out with root or in the terminal, if you need help tell me and I will explain.

bludsrevenge
May 19, 2013, 01:23 AM
You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

These are the ones I have in 10.8.3

AppleThunderboltDPAdapters.kext
AppleThunderboltEDMService.kext
AppleThunderboltNHI.kext
AppleThunderboltPCIAdapters.kext
AppleThunderboltUTDM.kext

I think the bolded one is the one which disables the port.

I Myself moved them out of the Extensions Folder for other reasons.
Everything still works.
You can move them out with root or in the terminal, if you need help tell me and I will explain.

If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.

opinio
May 19, 2013, 01:35 AM
I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/142622/forensics-vendor-warns-mac-os-x-filevault-vulnerable-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all

Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.

justperry
May 19, 2013, 01:41 AM
If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.

Open terminal en do the following

sudo mkdir /System/Disabled Extensions
sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
Hit Enter
Enter Password
sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
Hit Enter

*** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.



Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.

I am pretty positive he wants to do this on the new Mac which he purchases later on.

paulCC
May 19, 2013, 01:56 AM
As I am reading some of the replies, I think I understand your issue a bit differently - you are about to get a new MBA, you like Filevault as means of protecting your data, but worry that the Thunderbolt is a point of entry, which can be exploited. Correct ?

If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?

I guess there might be some features of the FV encryption, that includes values tied to the computer - such as using the serial number, or other data tied to the MBA as part of the encryption scheme, which would make the "move-the-SSD-to-another-MBA" approach not work. But I have not read anywhere that this is so. Plus - it would mean that if your logic board fails, Apple could not move your SSD to a replacement unit. So I consider this unlikely - meaning the FV encryption is likely all contained on the SSD, with no part of the encryption scheme coming from the computer itself. Again, just my guess.

PaulCC.



I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/142622/forensics-vendor-warns-mac-os-x-filevault-vulnerable-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all

bludsrevenge
May 19, 2013, 02:03 AM
Open terminal en do the following

sudo mkdir /System/Disabled Extensions
sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
Hit Enter
Enter Password
sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
Hit Enter

*** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.





I am pretty positive he wants to do this on the new Mac which he purchases later on.
Perry I really owe you. Thanks for all of your help.

justperry
May 19, 2013, 02:07 AM
Perry I really owe you. Thanks for all of your help.

No worries.

Just use copy paste to do the above, you can also drag and drop folders/files on the terminal to include the paths after a command.
As I said before, just look for Extensions with Thunderbolt in it's name and move them.

Happy "hacking":)

flynz4
May 19, 2013, 09:02 PM
If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?

Paul,

If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

/Jim

DisMyMac
May 20, 2013, 02:02 AM
You'd seriously ruin a TB port for "protection"?

justperry
May 20, 2013, 02:05 AM
You'd seriously ruin a TB port for "protection"?

If you read my post it does not destroy the port, it will only disable it.

paulCC
May 20, 2013, 04:18 AM
Yes, you are correct, my reply was nonsense :-)

I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

So disabling TB ( and FW, if present on the computer ) will stop this.

In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.

Paul.


Paul,

If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

/Jim

IeU
May 20, 2013, 06:37 AM
You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.

The HD is encrypted. So, no "you are good to go" . . .

Beaverman3001
May 20, 2013, 08:14 AM
Someone having physical access is no security to begin with, sans thunderbolt port or not. Until you find a way for the SSD to destroy itself upon removal it does not matter what other ports you break.

Fishrrman
May 20, 2013, 09:52 AM
Solution (from the article you listed above) is:
"The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

What's so hard about that?

flynz4
May 20, 2013, 10:06 AM
Solution (from the article you listed above) is:
"The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

What's so hard about that?

This has been my recommendation right along. However... it is difficult (or at least inconvenient) to shut down 100% of the time... even though it is my normal process.

I do not shut down when I am going to be away from my computer inside of my house... or if I am going to get a drink of water in the office. OTOH... if I am leaving my laptop in a hotel room... I will shut down before putting it away in the hotel in-room safe (if present). At that point... combined with FV2... if my MBA is stollen... only my physical HW is lost... not my identity.

/Jim

----------

Yes, you are correct, my reply was nonsense :-)

I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

So disabling TB ( and FW, if present on the computer ) will stop this.

In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.

Paul.

Thanks for this info. I think that I will do the same. I know I can look it up... but can you tell me the procedure to set the FW password (I'm being lazy).

/Jim

adnbek
May 20, 2013, 11:44 AM
Thanks for this info. I think that I will do the same. I know I can look it up... but can you tell me the procedure to set the FW password (I'm being lazy).

/Jim

http://dailymactips.com/2012/05/04/how-to-set-a-firmware-password-in-lion/

Same process for Mountain Lion. Make sure you use a password you won't forget as there is no way to reset or remove the password if you forget it.

PraisiX-windows
May 20, 2013, 01:01 PM
Are you sure you don't want to blend the SSD with an industry approved blender now that you're at it? Just in case super advanced aliens fly in and decrypt the **** out of your SSD?
Jesus christ.

Edit:
No, wait, even more advanced extra terrestrials might show up, for your "very important" data, with the technology to reconstruct, perfectly, your smashed harddrive - you better acid the drive!

thekev
May 20, 2013, 01:04 PM
Are you sure you don't want to blend the SSD with an industry approved blender now that you're at it? Just in case super advanced aliens fly in and decrypt the **** out of your SSD?
Jesus christ.

Industry approved blender (http://www.youtube.com/watch?v=rofgMueCOqo):D?

PraisiX-windows
May 20, 2013, 01:07 PM
Industry approved blender (http://www.youtube.com/watch?v=rofgMueCOqo):D?

Otherwise it might not "secure" the data properly!

GoCubsGo
May 20, 2013, 01:18 PM
I'm super curious what activities this guy gets into on his computer that would make him so paranoid. Either way, I truly want to know if I removed the SSD from the Air then would the TB port be useful at all? It's not like data is stored within the port.

flynz4
May 20, 2013, 10:55 PM
http://dailymactips.com/2012/05/04/how-to-set-a-firmware-password-in-lion/

Same process for Mountain Lion. Make sure you use a password you won't forget as there is no way to reset or remove the password if you forget it.

Thanks... FW Password set. I've been meaning to do this. Now I do not necessarily need to power-down my machine when left in a semi-public place (like a hotel room).

I'm super curious what activities this guy gets into on his computer that would make him so paranoid. Either way, I truly want to know if I removed the SSD from the Air then would the TB port be useful at all? It's not like data is stored within the port.

I assume you are wondering about the wisdom of destroying a FW port... not using FV2 + FW Password.

/Jim

Ice-Cube
May 21, 2013, 01:52 AM
I'm suspecting its his internet history and the 'someone' is his wife. :)

Steve121178
May 23, 2013, 07:30 AM
I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid.

Yet you use the internet leaving a highly visible and traceable paper-trail for everything you do? And do you know how much stuff is sent to Apple & other vendors who's software you install?

You haven't really thought this through have you?

Just a heads up, but if you are serious about security why the hell are you looking at MBA? Get a laptop that suits your needs and run Linux. And I mean proper Linux, not crap like Ubuntu.

simon48
May 23, 2013, 03:10 PM
The HD is encrypted. So, no "you are good to go" . . .

???? What?

flynz4
May 23, 2013, 07:14 PM
???? What?

I believe that what he is saying is: Since the drive is encrypted... the bare drive data remains safe once out of the system.

/Jim

simon48
May 23, 2013, 07:45 PM
I believe that what he is saying is: Since the drive is encrypted... the bare drive data remains safe once out of the system.

/Jim

But the whole thread is about how that is not enough.

flynz4
May 23, 2013, 09:50 PM
But the whole thread is about how that is not enough.

No... I think you might be missing a key point. There is nothing wrong with an encrypted drive per se. An encrypted drive out of the system is safe.

The issue is that if a machine is either running or suspended... then the encryption key can be extracted from active system memory... and then the system has a vulnerability.

There are two ways to circumvent a memory resident key from being accessed:

Shut down the computer when it might be physically accessed by a 3rd party.
Use a firmware password so that the system cannot be accessed via an external boot device... including a FW or TB connection.


Either of those two actions removes the threat of this specific security threat.

A bunch of people appear to be misunderstanding that there is nothing wrong with an encrypted drive, and incorrectly believe that physical possession of an encrypted drive is insecure. They seem to be missing the fact that real culprit in this particular example is having the key available in system memory and available to be exploited... while the encrypted drive itself is otherwise actually secure.

/Jim

P.S. I previously used method #1 above to keep my system secure... but it is impractical to shut down 100% of the time. Due to the information in this thread... I now use approach #2... which adds security, even if I do not shut down.

Stetrain
May 23, 2013, 09:51 PM
But the whole thread is about how that is not enough.

The thread is about the apparent ability to access an encrypted drive when the machine isn't completely powered off because the encryption key is stored in memory.

Once the machine is turned off or the drive removed from the machine that would no longer be effective.

justperry
May 24, 2013, 12:01 AM
No... I think you might be missing a key point. There is nothing wrong with an encrypted drive per se. An encrypted drive out of the system is safe.

The issue is that if a machine is either running or suspended... then the encryption key can be extracted from active system memory... and then the system has a vulnerability.

There are two ways to circumvent a memory resident key from being accessed:

Shut down the computer when it might be physically accessed by a 3rd party.
Use a firmware password so that the system cannot be accessed via an external boot device... including a FW or TB connection.


Either of those two actions removes the threat of this specific security threat.

A bunch of people appear to be misunderstanding that there is nothing wrong with an encrypted drive, and incorrectly believe that physical possession of an encrypted drive is insecure. They seem to be missing the fact that real culprit in this particular example is having the key available in system memory and available to be exploited... while the encrypted drive itself is otherwise actually secure.

/Jim

P.S. I previously used method #1 above to keep my system secure... but it is impractical to shut down 100% of the time. Due to the information in this thread... I now use approach #2... which adds security, even if I do not shut down.


Bold
Three, disabling the Thunderbolt extensions is another one.

dyn
May 25, 2013, 06:44 PM
Bold
Three, disabling the Thunderbolt extensions is another one.
In that case you are wrong too. There are many more ways of destroying the TB port. You could desolder it for example. All of those are impractical. The two mentioned are the most practical and useful ways of avoiding the issue.

Siderz
May 25, 2013, 07:38 PM
Plot twist: His friend needs the Thunderbolt port, and so OP wants to destroy it so that he can no longer use the device.

Why don't you just open the MBA and physically remove the port?

andiwm2003
May 25, 2013, 07:53 PM
I'm super curious what activities this guy gets into on his computer that would make him so paranoid. Either way, I truly want to know if I removed the SSD from the Air then would the TB port be useful at all? It's not like data is stored within the port.

While this all sounds paranoid there are scenarios where this paranoia is warranted.

I'm working for a biotech and on my computer are project plans, chemical structures that are not patented yet and such stuff. When I'm on a conference usually the entire industry is booked in the same hotels and it's conceivable that someone for the heck of it downloads a bunch of laptop HD's and figures out who is doing what.

Other scenarios are that I have unpublished clinical trial results on my HD and someone could use the information to buy/sell stocks. We had our company broken in and all computers stolen a few years ago. Luckily the thief's seem to have been interested in the hardware only.

dyn
May 28, 2013, 02:34 PM
If you put that much data on a notebook it means that you haven't thought it through. Always carefully decide what data to bring along and what not. Also carefully decide how you bring it. Do you put it on just the drive with whole disk encryption turned on or do you put it in a secured Truecrypt container on a drive with whole disk encryption turned on whilst only powering the machine when necessary? Do you even put it on the notebook or keep it stored elsewhere that you can safely access?

It's not just whole disk encryption you need to think about in that case!

DisplacedMic
May 28, 2013, 07:03 PM
I'm suspecting its his internet history and the 'someone' is his wife. :)

seriously. just get one of these

http://media.boingboing.net/wp-content/uploads/2013/01/JTpDI1.jpg

cyclotron451
May 29, 2013, 04:55 AM
The LN2 attack involves cooling the MBA rapidly down to minus 321 farenheit and allows to preserve the RAM contents for quite some time, potentially allowing the whole-disk-encryption key recovery from RAM, even in a powered off MBA.

The SSD on the MBA, being an SSD, never actually quite deletes data, the trim algorithm presumably keeps writing the whole-disk-encryption key all over the place, such that even a NIST military 'data destruction' overwrite on the SSD isn't actually guaranteed to overwrite your sensitive stuff.

Some Three letter Acronym organisations glue/seal items to block USB & other ports for their staff devices. (a 'cheap' Apple A1305 or similar DVI adapter could have the bare TB connector removed and superglued into the port, I wouldn't do anything more aggressive than that to an Apple MB/MBA)

Machines that are über-protected in any of these ways are easily persuaded to reveal their contents via social engineering = targeted Phish APT or by essential system upgrade components being subverted ( = iTunes upgrades allegedly used by FinFisher in the past) or by generic *.* Certificate Authority SSL certificates (which are still in use for Enterprise and National security means)

The various whole disk encryption schemes might be assumed to have essential third-party maintenance access capabilities anyway.

The sound that your keyboard makes when you type your decrypt passwd can be used to 'guess' it, likewise many keyboards radiate sufficient RF for the keypresses to be scanned from a short distance (I've seen reading at three floors distance in a hotel! - with around $1K of Ettus products used)

It's best to have a vanilla machine , use it normally and store your secrets in a safe! (or saran-wrap covered 64GB microSD card retained in your mouth)

For realistic data security you have to assume your opponents are already in your system, so use multiple independent elements of security.

There are some situations where these 'paranoid' levels of security are necessary - journalism comes to mind in some countries, but on the whole I do trust my national authorities with all of my data.

Ross Anderson has another 600 pages on the subject here Cambridge UK (http://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf)

marvin4653
May 31, 2013, 06:36 PM
Wasn't the FireWire/Thunderbolt DMA vector patched in 10.7.2 for all states except when a user is actively logged in (i.e. the attack isn't possible if the computer is idle with a screensaver and password prompt, or sleeping with a password prompt on wake)?

http://support.apple.com/kb/HT5002

mizzouxc
May 31, 2013, 10:25 PM
Someone could hack you via your Internet connection. You should maybe jut not use computers.