Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Hardware > Notebooks > MacBook Air

Reply
 
Thread Tools Search this Thread Display Modes
Old May 18, 2013, 10:58 PM   #1
bludsrevenge
macrumors newbie
 
Join Date: Oct 2011
Need help destroying the thunderbolt port on air

I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/142622/forensics-vendor-warns-mac-os-x-filevault-vulnerable-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all
bludsrevenge is offline   0 Reply With Quote
Old May 18, 2013, 11:08 PM   #2
justperry
macrumors 603
 
justperry's Avatar
 
Join Date: Aug 2007
Location: 7 Km South of an active upside down (boat) volcano.
It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
It was accessing memory directly and this has been patched.
justperry is offline   0 Reply With Quote
Old May 18, 2013, 11:34 PM   #3
blueroom
macrumors 603
 
blueroom's Avatar
 
Join Date: Feb 2009
Location: Toronto, Canada
Take a hammer to the SSD. Acid would work too.
__________________
My iOS devices are not jailbroken.
Bill
My Blog
blueroom is offline   2 Reply With Quote
Old May 18, 2013, 11:47 PM   #4
Mrbobb
macrumors 601
 
Join Date: Aug 2012
So what kind of illegal thing are you getting into?
__________________
Solution: FREE, Explanation: Is gonna cost ya.
Mrbobb is offline   1 Reply With Quote
Old May 19, 2013, 12:08 AM   #5
simon48
macrumors 65816
 
simon48's Avatar
 
Join Date: Sep 2010
You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.
simon48 is offline   2 Reply With Quote
Old May 19, 2013, 01:00 AM   #6
bludsrevenge
Thread Starter
macrumors newbie
 
Join Date: Oct 2011
Quote:
Originally Posted by justperry View Post
It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
It was accessing memory directly and this has been patched.
I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
Does anyone know a way to destroy it?
bludsrevenge is offline   0 Reply With Quote
Old May 19, 2013, 01:11 AM   #7
justperry
macrumors 603
 
justperry's Avatar
 
Join Date: Aug 2007
Location: 7 Km South of an active upside down (boat) volcano.
Quote:
Originally Posted by bludsrevenge View Post
I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
Does anyone know a way to destroy it?
You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

These are the ones I have in 10.8.3

AppleThunderboltDPAdapters.kext
AppleThunderboltEDMService.kext
AppleThunderboltNHI.kext
AppleThunderboltPCIAdapters.kext
AppleThunderboltUTDM.kext

I think the bolded one is the one which disables the port.

I Myself moved them out of the Extensions Folder for other reasons.
Everything still works.

You can move them out with root or in the terminal, if you need help tell me and I will explain.
justperry is offline   0 Reply With Quote
Old May 19, 2013, 01:23 AM   #8
bludsrevenge
Thread Starter
macrumors newbie
 
Join Date: Oct 2011
Quote:
Originally Posted by justperry View Post
You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

These are the ones I have in 10.8.3

AppleThunderboltDPAdapters.kext
AppleThunderboltEDMService.kext
AppleThunderboltNHI.kext
AppleThunderboltPCIAdapters.kext
AppleThunderboltUTDM.kext

I think the bolded one is the one which disables the port.

I Myself moved them out of the Extensions Folder for other reasons.
Everything still works.
You can move them out with root or in the terminal, if you need help tell me and I will explain.
If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.
bludsrevenge is offline   0 Reply With Quote
Old May 19, 2013, 01:35 AM   #9
opinio
macrumors 65816
 
Join Date: Mar 2013
Quote:
Originally Posted by bludsrevenge View Post
I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/142...-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all
Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.
opinio is offline   0 Reply With Quote
Old May 19, 2013, 01:41 AM   #10
justperry
macrumors 603
 
justperry's Avatar
 
Join Date: Aug 2007
Location: 7 Km South of an active upside down (boat) volcano.
Quote:
Originally Posted by bludsrevenge View Post
If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.
Open terminal en do the following

sudo mkdir /System/Disabled Extensions
sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
Hit Enter
Enter Password
sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
Hit Enter

*** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.



Quote:
Originally Posted by opinio View Post
Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.
I am pretty positive he wants to do this on the new Mac which he purchases later on.

Last edited by justperry; May 19, 2013 at 01:58 AM.
justperry is offline   0 Reply With Quote
Old May 19, 2013, 01:56 AM   #11
paulCC
macrumors member
 
Join Date: Nov 2012
As I am reading some of the replies, I think I understand your issue a bit differently - you are about to get a new MBA, you like Filevault as means of protecting your data, but worry that the Thunderbolt is a point of entry, which can be exploited. Correct ?

If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?

I guess there might be some features of the FV encryption, that includes values tied to the computer - such as using the serial number, or other data tied to the MBA as part of the encryption scheme, which would make the "move-the-SSD-to-another-MBA" approach not work. But I have not read anywhere that this is so. Plus - it would mean that if your logic board fails, Apple could not move your SSD to a replacement unit. So I consider this unlikely - meaning the FV encryption is likely all contained on the SSD, with no part of the encryption scheme coming from the computer itself. Again, just my guess.

PaulCC.



Quote:
Originally Posted by bludsrevenge View Post
I am about to buy myself a brand new MacBook Air when the next model comes out.

I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
http://forums.appleinsider.com/t/142...-to-decryption

They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
Thanks all
paulCC is offline   2 Reply With Quote
Old May 19, 2013, 02:03 AM   #12
bludsrevenge
Thread Starter
macrumors newbie
 
Join Date: Oct 2011
Quote:
Originally Posted by justperry View Post
Open terminal en do the following

sudo mkdir /System/Disabled Extensions
sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
Hit Enter
Enter Password
sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
Hit Enter
sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
Hit Enter

*** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.





I am pretty positive he wants to do this on the new Mac which he purchases later on.
Perry I really owe you. Thanks for all of your help.
bludsrevenge is offline   0 Reply With Quote
Old May 19, 2013, 02:07 AM   #13
justperry
macrumors 603
 
justperry's Avatar
 
Join Date: Aug 2007
Location: 7 Km South of an active upside down (boat) volcano.
Quote:
Originally Posted by bludsrevenge View Post
Perry I really owe you. Thanks for all of your help.
No worries.

Just use copy paste to do the above, you can also drag and drop folders/files on the terminal to include the paths after a command.
As I said before, just look for Extensions with Thunderbolt in it's name and move them.

Happy "hacking"
justperry is offline   0 Reply With Quote
Old May 19, 2013, 09:02 PM   #14
flynz4
macrumors 68040
 
Join Date: Aug 2009
Location: Portland, OR
Quote:
Originally Posted by paulCC View Post
If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?
Paul,

If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

/Jim
flynz4 is online now   2 Reply With Quote
Old May 20, 2013, 02:02 AM   #15
DisMyMac
macrumors 65816
 
DisMyMac's Avatar
 
Join Date: Sep 2009
You'd seriously ruin a TB port for "protection"?
DisMyMac is offline   4 Reply With Quote
Old May 20, 2013, 02:05 AM   #16
justperry
macrumors 603
 
justperry's Avatar
 
Join Date: Aug 2007
Location: 7 Km South of an active upside down (boat) volcano.
Quote:
Originally Posted by DisMyMac View Post
You'd seriously ruin a TB port for "protection"?
If you read my post it does not destroy the port, it will only disable it.
justperry is offline   0 Reply With Quote
Old May 20, 2013, 04:18 AM   #17
paulCC
macrumors member
 
Join Date: Nov 2012
Yes, you are correct, my reply was nonsense :-)

I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

So disabling TB ( and FW, if present on the computer ) will stop this.

In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.

Paul.


Quote:
Originally Posted by flynz4 View Post
Paul,

If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

/Jim
paulCC is offline   0 Reply With Quote
Old May 20, 2013, 06:37 AM   #18
IeU
macrumors member
 
Join Date: May 2011
Quote:
Originally Posted by simon48 View Post
You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.
The HD is encrypted. So, no "you are good to go" . . .
IeU is offline   0 Reply With Quote
Old May 20, 2013, 08:14 AM   #19
Beaverman3001
macrumors 6502
 
Join Date: May 2010
Someone having physical access is no security to begin with, sans thunderbolt port or not. Until you find a way for the SSD to destroy itself upon removal it does not matter what other ports you break.
Beaverman3001 is offline   1 Reply With Quote
Old May 20, 2013, 09:52 AM   #20
Fishrrman
macrumors 68040
 
Join Date: Feb 2009
Solution (from the article you listed above) is:
"The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

What's so hard about that?
Fishrrman is offline   2 Reply With Quote
Old May 20, 2013, 10:06 AM   #21
flynz4
macrumors 68040
 
Join Date: Aug 2009
Location: Portland, OR
Quote:
Originally Posted by Fishrrman View Post
Solution (from the article you listed above) is:
"The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

What's so hard about that?
This has been my recommendation right along. However... it is difficult (or at least inconvenient) to shut down 100% of the time... even though it is my normal process.

I do not shut down when I am going to be away from my computer inside of my house... or if I am going to get a drink of water in the office. OTOH... if I am leaving my laptop in a hotel room... I will shut down before putting it away in the hotel in-room safe (if present). At that point... combined with FV2... if my MBA is stollen... only my physical HW is lost... not my identity.

/Jim

----------

Quote:
Originally Posted by paulCC View Post
Yes, you are correct, my reply was nonsense :-)

I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

So disabling TB ( and FW, if present on the computer ) will stop this.

In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.

Paul.
Thanks for this info. I think that I will do the same. I know I can look it up... but can you tell me the procedure to set the FW password (I'm being lazy).

/Jim
flynz4 is online now   0 Reply With Quote
Old May 20, 2013, 11:44 AM   #22
adnbek
macrumors 65816
 
adnbek's Avatar
 
Join Date: Oct 2011
Location: Montreal, Quebec
Quote:
Originally Posted by flynz4 View Post
Thanks for this info. I think that I will do the same. I know I can look it up... but can you tell me the procedure to set the FW password (I'm being lazy).

/Jim
http://dailymactips.com/2012/05/04/h...sword-in-lion/

Same process for Mountain Lion. Make sure you use a password you won't forget as there is no way to reset or remove the password if you forget it.
adnbek is offline   0 Reply With Quote
Old May 20, 2013, 01:01 PM   #23
PraisiX-windows
macrumors regular
 
Join Date: May 2011
Are you sure you don't want to blend the SSD with an industry approved blender now that you're at it? Just in case super advanced aliens fly in and decrypt the **** out of your SSD?
Jesus christ.

Edit:
No, wait, even more advanced extra terrestrials might show up, for your "very important" data, with the technology to reconstruct, perfectly, your smashed harddrive - you better acid the drive!

Last edited by PraisiX-windows; May 20, 2013 at 01:08 PM. Reason: To tell this ******* here who's boss
PraisiX-windows is offline   0 Reply With Quote
Old May 20, 2013, 01:04 PM   #24
thekev
macrumors 603
 
thekev's Avatar
 
Join Date: Aug 2010
Quote:
Originally Posted by PraisiX-windows View Post
Are you sure you don't want to blend the SSD with an industry approved blender now that you're at it? Just in case super advanced aliens fly in and decrypt the **** out of your SSD?
Jesus christ.

Industry approved blender
?
__________________
world's largest manufacturer of tin foil hats, none of that aluminum foil crap.
thekev is online now   0 Reply With Quote
Old May 20, 2013, 01:07 PM   #25
PraisiX-windows
macrumors regular
 
Join Date: May 2011
Quote:
Originally Posted by thekev View Post
Otherwise it might not "secure" the data properly!
PraisiX-windows is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Hardware > Notebooks > MacBook Air

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
How will I use my thunderbolt port if I have a non-Thunderbolt Cinema Display? EvilEvil Mac mini 6 Jun 22, 2014 04:35 PM
Mid 2011 MacBook Air to Thunderbolt HDD to Thunderbolt->DVI adapter to Monitor mrcarl79 MacBook Air 7 Aug 22, 2013 03:47 PM
use thunderbolt instead of hdmi port foofan Mac mini 5 Feb 1, 2013 12:38 PM
Have you ever used your Thunderbolt port? someone28624 Mac Basics and Help 13 Jan 20, 2013 02:21 AM
Thunderbolt Wall Port rustyk123 Mac Peripherals 2 Jul 6, 2012 10:52 AM

Forum Jump

All times are GMT -5. The time now is 01:39 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC