1. Welcome to the new MacRumors forums. See our announcement and read our FAQ

Need help destroying the thunderbolt port on air

Discussion in 'MacBook Air' started by bludsrevenge, May 18, 2013.

  1. macrumors newbie

    #1
    I am about to buy myself a brand new MacBook Air when the next model comes out.

    I believe in anonymity and I am beyond paranoid. I figure If I run file vault and lock everything on my air it will be 100% untouchable by anyone. I have done my fare share of research and this is perfect. The only issue I run into is the thunderbolt port.

    Here is an article on a company that sells the equipment needed to get into a file vault protected Mac:
    http://forums.appleinsider.com/t/142622/forensics-vendor-warns-mac-os-x-filevault-vulnerable-to-decryption

    They use a thunderbolt cable to get in. If I destroy the thunderbolt port there is no way of entry. So how can I permanently remove the thunderbolt port? To the point that even if I sent it in to apple they would say it is 100% impossible to fix.
    Thanks all
     
  2. macrumors 603

    justperry

    #2
    It's probably the same technique as getting into the Mac with Firewire (Tl;Dr), if that is the case you don't have to worry since that hole has been patched quite a while ago.
    It was accessing memory directly and this has been patched.
     
  3. macrumors 603

    blueroom

    #3
    Take a hammer to the SSD. Acid would work too.
     
  4. macrumors 601

    #4
    So what kind of illegal thing are you getting into? :cool:
     
  5. macrumors 65816

    simon48

    #5
    You can destroy all ports you like, someone can just take out the HD and access it directly. If FileVault not enough, break the HD in two and you are good to go.
     
  6. macrumors newbie

    #6
    I messaged the company who makes the product and they said there equipment is up to date with the latest model of MacBook Air and still works. This leads me to believe that the exploit is still there via thunderbolt.
    Does anyone know a way to destroy it?
     
  7. macrumors 603

    justperry

    #7
    You don't have to physically destroy thunderbolt, there are some Thunderbolt Extensions in the ?System/Library/Extensions Folder, move them out to for instance /System/Library/ and Thunderbolt won't work anymore.

    These are the ones I have in 10.8.3

    AppleThunderboltDPAdapters.kext
    AppleThunderboltEDMService.kext
    AppleThunderboltNHI.kext
    AppleThunderboltPCIAdapters.kext
    AppleThunderboltUTDM.kext

    I think the bolded one is the one which disables the port.

    I Myself moved them out of the Extensions Folder for other reasons.
    Everything still works.

    You can move them out with root or in the terminal, if you need help tell me and I will explain.
     
  8. macrumors newbie

    #8
    If you could step by step explain I would be very grateful. I am purchasing the machine when the new model comes out so I assume it would be the same for the new machine.

    I would just purchase the 2010 model which does not have a thunderbolt port, but the ram isn't enough for my work. Without 8gb ram the computer is useless to me.
     
  9. macrumors 65816

    #9
    Why don't you run a secure erase on the SSD? I use Parted Magic on a linux boot disk which runs a command on the SSD its self to reset the SSD to factory.
     
  10. justperry, May 18, 2013
    Last edited: May 18, 2013

    macrumors 603

    justperry

    #10
    Open terminal en do the following

    sudo mkdir /System/Disabled Extensions
    sudo mv /System/Library/AppleThunderboltDPAdapters.kext /System/Disabled Extensions
    Hit Enter
    Enter Password
    sudo mv /System/Library/AppleThunderboltEDMService.kext /System/Disabled Extensions
    Hit Enter
    sudo mv /System/Library/AppleThunderboltNHI.kext /System/Disabled Extensions
    Hit Enter
    sudo mv /System/Library/AppleThunderboltPCIAdapters.kext /System/Disabled Extensions
    Hit Enter
    sudo mv /System/Library/AppleThunderboltUTDM.kext /System/Disabled Extensions
    Hit Enter

    *** This provided those Extensions are in the Extensions Folder, if there more like these do the same like above, also if you are fast enough (About 5 minutes) you have to enter your password only once.

    Note: VERY IMPORTANT, make a backup first, if anything goes wrong you might not be able to startup the Mac.

    BTW, I don't believe that company, I am almost sure the problem was Direct Memory Access (DMA) and this HAS been patched.



    I am pretty positive he wants to do this on the new Mac which he purchases later on.
     
  11. macrumors member

    #11
    As I am reading some of the replies, I think I understand your issue a bit differently - you are about to get a new MBA, you like Filevault as means of protecting your data, but worry that the Thunderbolt is a point of entry, which can be exploited. Correct ?

    If this is so, destroying the TB port does not guarantee that no one will be able to get to your data. You obviously worry about a scenario, where someone gets hold of your MBA. If there are people that would go to these kinds of steps to get to your data, what is there to stop them from extracting the SSD part from your MBA, plugging it into an MBA that has the TB port working, and using the TB exploit this way ?

    I guess there might be some features of the FV encryption, that includes values tied to the computer - such as using the serial number, or other data tied to the MBA as part of the encryption scheme, which would make the "move-the-SSD-to-another-MBA" approach not work. But I have not read anywhere that this is so. Plus - it would mean that if your logic board fails, Apple could not move your SSD to a replacement unit. So I consider this unlikely - meaning the FV encryption is likely all contained on the SSD, with no part of the encryption scheme coming from the computer itself. Again, just my guess.

    PaulCC.



     
  12. macrumors newbie

    #12
    Perry I really owe you. Thanks for all of your help.
     
  13. macrumors 603

    justperry

    #13
    No worries.

    Just use copy paste to do the above, you can also drag and drop folders/files on the terminal to include the paths after a command.
    As I said before, just look for Extensions with Thunderbolt in it's name and move them.

    Happy "hacking":)
     
  14. macrumors 68040

    #14
    Paul,

    If I understand this exploit correctly... it entails getting using TB to obtain encryption data out of memory... which is possible if the machine is running, or suspended. It is also my understanding that if you shut down the MBA... then the memory is cleared, and this exploit is defeated.

    Hence... this is why I have always recommended to completely shut down your MBA (or MBP) whenever leaving it unattended... especially in a place where there is any real chance of inadvertent access. For me... this includes hotel rooms and such... because it just is not practical to to always have my laptop with me.

    /Jim
     
  15. macrumors 65816

    DisMyMac

    #15
    You'd seriously ruin a TB port for "protection"?
     
  16. macrumors 603

    justperry

    #16
    If you read my post it does not destroy the port, it will only disable it.
     
  17. macrumors member

    #17
    Yes, you are correct, my reply was nonsense :)

    I did more reading on this, and see that the exploit is through the DMA feature of FW and TB, while the machine is running, and the encryption key is in plaintext in the memory.

    So disabling TB ( and FW, if present on the computer ) will stop this.

    In addition, it seems that enabling Firmware password stops the DMA feature. So this is what I have done now. Not that I am paranoid, but this does not complicate the booting process, so why not.

    I would worry about the disabling the TB in software configuration, as updates of the OS X might restore the drivers you remove. To me the firmware password seems more stable in long term.

    Paul.


     
  18. IeU
    macrumors member

    #18
    The HD is encrypted. So, no "you are good to go" . . .
     
  19. macrumors 6502

    #19
    Someone having physical access is no security to begin with, sans thunderbolt port or not. Until you find a way for the SSD to destroy itself upon removal it does not matter what other ports you break.
     
  20. macrumors 601

    #20
    Solution (from the article you listed above) is:
    "The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered."

    What's so hard about that?
     
  21. macrumors 68040

    #21
    This has been my recommendation right along. However... it is difficult (or at least inconvenient) to shut down 100% of the time... even though it is my normal process.

    I do not shut down when I am going to be away from my computer inside of my house... or if I am going to get a drink of water in the office. OTOH... if I am leaving my laptop in a hotel room... I will shut down before putting it away in the hotel in-room safe (if present). At that point... combined with FV2... if my MBA is stollen... only my physical HW is lost... not my identity.

    /Jim

    ----------

    Thanks for this info. I think that I will do the same. I know I can look it up... but can you tell me the procedure to set the FW password (I'm being lazy).

    /Jim
     
  22. macrumors 65816

    adnbek

    #22
    http://dailymactips.com/2012/05/04/how-to-set-a-firmware-password-in-lion/

    Same process for Mountain Lion. Make sure you use a password you won't forget as there is no way to reset or remove the password if you forget it.
     
  23. PraisiX-windows, May 20, 2013
    Last edited: May 20, 2013

    macrumors regular

    #23
    Are you sure you don't want to blend the SSD with an industry approved blender now that you're at it? Just in case super advanced aliens fly in and decrypt the **** out of your SSD?
    Jesus christ.

    Edit:
    No, wait, even more advanced extra terrestrials might show up, for your "very important" data, with the technology to reconstruct, perfectly, your smashed harddrive - you better acid the drive!
     
  24. macrumors 603

    thekev

    #24

    Industry approved blender
    :D?
     
  25. macrumors regular

    #25

Share This Page