Need help destroying the thunderbolt port on air

Discussion in 'MacBook Air' started by bludsrevenge, May 18, 2013.

  1. macrumors newbie

    Oct 11, 2011
    I am about to buy myself a brand new MacBook Air when the next model comes out.

    I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

    Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:

    They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
    Thanks all
  2. macrumors 603


    It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
    It was accessing memory directly and this has been patched.
  3. macrumors 603


    Feb 15, 2009
    Toronto, Canada
    Take a hammer to the SSD. Acid would work too.
  4. macrumors 601

    Aug 27, 2012
    So what kind of illegal thing are you getting into? :cool:
  5. macrumors 65816


    Sep 1, 2010
    You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.
  6. thread starter macrumors newbie

    Oct 11, 2011
    I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
    Does anyone know a way to destroy it?
  7. macrumors 603


    You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

    These are the ones I have in 10.8.3


    I think the bolded one is the one which disables the port.

    I Myself moved them out of the Extensions Folder for other reasons.
    Everything still works.

    You can move them out with root or in the terminal, if you need help tell me and I will explain.
  8. thread starter macrumors newbie

    Oct 11, 2011
    If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

    I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.
  9. macrumors 65816

    Mar 23, 2013
    Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.
  10. justperry, May 18, 2013
    Last edited: May 18, 2013

    macrumors 603


    Open terminal en do the following

    sudo mkdir /System/Disabled Extensions
    sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
    Hit Enter
    Enter Password
    sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
    Hit Enter
    sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
    Hit Enter
    sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
    Hit Enter
    sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
    Hit Enter

    *** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

    Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

    BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.

    I am pretty positive he wants to do this on the new Mac which he purchases later on.
  11. macrumors member

    Nov 2, 2012
    As I am reading some of the replies, I think I understand your issue a bit differently - you are about to get a new MBA, you like Filevault as means of protecting your data, but worry that the Thunderbolt is a point of entry, which can be exploited. Correct ?

    If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?

    I guess there might be some features of the FV encryption, that includes values tied to the computer - such as using the serial number, or other data tied to the MBA as part of the encryption scheme, which would make the "move-the-SSD-to-another-MBA" approach not work. But I have not read anywhere that this is so. Plus - it would mean that if your logic board fails, Apple could not move your SSD to a replacement unit. So I consider this unlikely - meaning the FV encryption is likely all contained on the SSD, with no part of the encryption scheme coming from the computer itself. Again, just my guess.


  12. thread starter macrumors newbie

    Oct 11, 2011
    Perry I really owe you. Thanks for all of your help.
  13. macrumors 603


    No worries.

    Just use copy paste to do the above, you can also drag and drop folders/files on the terminal to include the paths after a command.
    As I said before, just look for Extensions with Thunderbolt in it's name and move them.

    Happy "hacking":)
  14. macrumors 68040

    Aug 9, 2009
    Portland, OR

    If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

    Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

  15. macrumors 65816


    Sep 30, 2009
    You'd seriously ruin a TB port for "protection"?
  16. macrumors 603


    If you read my post it does not destroy the port, it will only disable it.
  17. macrumors member

    Nov 2, 2012
    Yes, you are correct, my reply was nonsense :)

    I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

    So disabling TB ( and FW, if present on the computer ) will stop this.

    In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

    I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.


  18. IeU
    macrumors member

    May 1, 2011
    The HD is encrypted. So, no "you are good to go" . . .
  19. macrumors 6502

    May 20, 2010
    Someone having physical access is no security to begin with, sans thunderbolt port or not. Until you find a way for the SSD to destroy itself upon removal it does not matter what other ports you break.
  20. macrumors 603

    Feb 20, 2009
    Solution (from the article you listed above) is:
    "The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

    What's so hard about that?
  21. macrumors 68040

    Aug 9, 2009
    Portland, OR
    This has been my recommendation right along. However... it is difficult (or at least inconvenient) to shut down 100% of the time... even though it is my normal process.

    I do not shut down when I am going to be away from my computer inside of my house... or if I am going to get a drink of water in the office. OTOH... if I am leaving my laptop in a hotel room... I will shut down before putting it away in the hotel in-room safe (if present). At that point... combined with FV2... if my MBA is stollen... only my physical HW is lost... not my identity.



    Thanks for this info. I think that I will do the same. I know I can look it up... but can you tell me the procedure to set the FW password (I'm being lazy).

  22. macrumors 65816


    Oct 22, 2011
    Montreal, Quebec

    Same process for Mountain Lion. Make sure you use a password you won't forget as there is no way to reset or remove the password if you forget it.
  23. PraisiX-windows, May 20, 2013
    Last edited: May 20, 2013

    macrumors regular

    May 19, 2011
    Are you sure you don't want to blend the SSD with an industry approved blender now that you're at it? Just in case super advanced aliens fly in and decrypt the **** out of your SSD?
    Jesus christ.

    No, wait, even more advanced extra terrestrials might show up, for your "very important" data, with the technology to reconstruct, perfectly, your smashed harddrive - you better acid the drive!
  24. macrumors 603


    Aug 5, 2010

    Industry approved blender
  25. macrumors regular

    May 19, 2011

Share This Page