Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

bludsrevenge

macrumors newbie
Original poster
Oct 11, 2011
20
0
I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/142622/forensics-vendor-warns-mac-os-x-filevault-vulnerable-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all
 

justperry

macrumors G5
Aug 10, 2007
12,553
9,745
I'm a rolling stone.
It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
It was accessing memory directly and this has been patched.
 

simon48

macrumors 65816
Sep 1, 2010
1,315
88
You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.
 

bludsrevenge

macrumors newbie
Original poster
Oct 11, 2011
20
0
It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
It was accessing memory directly and this has been patched.
I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
Does anyone know a way to destroy it?
 

justperry

macrumors G5
Aug 10, 2007
12,553
9,745
I'm a rolling stone.
I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
Does anyone know a way to destroy it?

You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

These are the ones I have in 10.8.3

AppleThunderboltDPAdapters.kext
AppleThunderboltEDMService.kext
AppleThunderboltNHI.kext
AppleThunderboltPCIAdapters.kext
AppleThunderboltUTDM.kext

I think the bolded one is the one which disables the port.

I Myself moved them out of the Extensions Folder for other reasons.
Everything still works.

You can move them out with root or in the terminal, if you need help tell me and I will explain.
 

bludsrevenge

macrumors newbie
Original poster
Oct 11, 2011
20
0
You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

These are the ones I have in 10.8.3

AppleThunderboltDPAdapters.kext
AppleThunderboltEDMService.kext
AppleThunderboltNHI.kext
AppleThunderboltPCIAdapters.kext
AppleThunderboltUTDM.kext

I think the bolded one is the one which disables the port.

I Myself moved them out of the Extensions Folder for other reasons.
Everything still works.
You can move them out with root or in the terminal, if you need help tell me and I will explain.

If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.
 

opinio

macrumors 65816
Mar 23, 2013
1,171
7
I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/14...s-mac-os-x-filevault-vulnerable-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all

Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.
 

justperry

macrumors G5
Aug 10, 2007
12,553
9,745
I'm a rolling stone.
If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.

Open terminal en do the following

sudo mkdir /System/Disabled Extensions
sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
Hit Enter
Enter Password
sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
Hit Enter

*** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.



Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.

I am pretty positive he wants to do this on the new Mac which he purchases later on.
 
Last edited:

paulCC

macrumors regular
Nov 2, 2012
100
59
As I am reading some of the replies, I think I understand your issue a bit differently - you are about to get a new MBA, you like Filevault as means of protecting your data, but worry that the Thunderbolt is a point of entry, which can be exploited. Correct ?

If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?

I guess there might be some features of the FV encryption, that includes values tied to the computer - such as using the serial number, or other data tied to the MBA as part of the encryption scheme, which would make the "move-the-SSD-to-another-MBA" approach not work. But I have not read anywhere that this is so. Plus - it would mean that if your logic board fails, Apple could not move your SSD to a replacement unit. So I consider this unlikely - meaning the FV encryption is likely all contained on the SSD, with no part of the encryption scheme coming from the computer itself. Again, just my guess.

PaulCC.



I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/14...s-mac-os-x-filevault-vulnerable-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all
 

bludsrevenge

macrumors newbie
Original poster
Oct 11, 2011
20
0
Open terminal en do the following

sudo mkdir /System/Disabled Extensions
sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
Hit Enter
Enter Password
sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
Hit Enter

*** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.





I am pretty positive he wants to do this on the new Mac which he purchases later on.
Perry I really owe you. Thanks for all of your help.
 

justperry

macrumors G5
Aug 10, 2007
12,553
9,745
I'm a rolling stone.
Perry I really owe you. Thanks for all of your help.

No worries.

Just use copy paste to do the above, you can also drag and drop folders/files on the terminal to include the paths after a command.
As I said before, just look for Extensions with Thunderbolt in it's name and move them.

Happy "hacking":)
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?

Paul,

If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

/Jim
 

paulCC

macrumors regular
Nov 2, 2012
100
59
Yes, you are correct, my reply was nonsense :)

I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

So disabling TB ( and FW, if present on the computer ) will stop this.

In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.

Paul.


Paul,

If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

/Jim
 

IeU

macrumors member
May 1, 2011
95
6
You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.

The HD is encrypted. So, no "you are good to go" . . .
 

Beaverman3001

macrumors 6502a
May 20, 2010
554
55
Someone having physical access is no security to begin with, sans thunderbolt port or not. Until you find a way for the SSD to destroy itself upon removal it does not matter what other ports you break.
 

Fishrrman

macrumors Penryn
Feb 20, 2009
28,241
12,388
Solution (from the article you listed above) is:
"The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

What's so hard about that?
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
Solution (from the article you listed above) is:
"The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

What's so hard about that?

This has been my recommendation right along. However... it is difficult (or at least inconvenient) to shut down 100% of the time... even though it is my normal process.

I do not shut down when I am going to be away from my computer inside of my house... or if I am going to get a drink of water in the office. OTOH... if I am leaving my laptop in a hotel room... I will shut down before putting it away in the hotel in-room safe (if present). At that point... combined with FV2... if my MBA is stollen... only my physical HW is lost... not my identity.

/Jim

----------

Yes, you are correct, my reply was nonsense :)

I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

So disabling TB ( and FW, if present on the computer ) will stop this.

In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.

Paul.

Thanks for this info. I think that I will do the same. I know I can look it up... but can you tell me the procedure to set the FW password (I'm being lazy).

/Jim
 

PraisiX-windows

macrumors regular
May 19, 2011
185
0
Are you sure you don't want to blend the SSD with an industry approved blender now that you're at it? Just in case super advanced aliens fly in and decrypt the **** out of your SSD?
Jesus christ.

Edit:
No, wait, even more advanced extra terrestrials might show up, for your "very important" data, with the technology to reconstruct, perfectly, your smashed harddrive - you better acid the drive!
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.