July 28, 2018 at 12:40DEFCON Conference 23. How I lost my second eye, or further research into data destruction. Part 2
- Transfer
Start here:
DEFCON 23. How I lost my second eye, or further research into data destruction. Part 1
Stearic acid, it turns out, is a really important component of this explosive, and if you use the wrong proportions, nothing will work. This test video shows what happens if it is not enough with respect to aluminum - just an explosion and everything shattered. This is a complete failure. When the stearic acid content is correct, this is what happens - the explosion in the video is directional and looks like a rocket launch.
What we needed was precisely a directed explosion with a cumulative effect called the Monroe Effect. When we say “cumulative charge”, it means that you have to give it a special conical shape. It can be flat, but must have a special notch - a funnel that will concentrate the shock wave. You can fill the cavity with copper or tantalum, which during the explosion forms a liquid jet stream that can cut everything that is cut. This principle is used in anti-tank armor-piercing shells, and for this there are several design solutions.
I used CAD to draw a special shape for FELIX - it was a “glass” with a cone-shaped recess in the center, the angle of inclination of the surface of the cone should be between 40 and 90 °, and the steeper the cone, the greater the penetration depth. Your projectile should be located at a distance of 2-2.5 of its diameter from the target’s surface, and the height of the explosive inside the glass should be 1.25-4 times higher than the conical recess.
I thought that it would be possible to arrange a linear shaped charge in the form of a ring, which would be mounted on the upper part of the HDD, then when an explosion exploded around the circumference of the disk plates, many burnt holes would appear. I developed the ring design of the “glass” for the Felix charge and printed it on a 3-D printer, this is how this form looks above and below. I filled it with 60 grams of “Felix” and fixed it on top of the HDD.
The video shows how the explosion occurred. At this stage of the experiment, I did not care about the localization of the explosion and its retention in a certain protective cavity, I was going to work on this later.
The consequences of the directed explosion did not please me very much - the disk plates were only twisted, so, probably, the composition of the explosives was incorrectly selected. Only in one place the disks were cut through, this was the place where the glass with explosives was located. So we did the right thing, but placed it incorrectly, because the explosion of the charge did not spread around the ring the way we did it.
I developed another model of the “glass” with radial jumpers, and at the same time I thought about how to keep the charge from preventing it from flying around. Therefore, a layer of aluminum was laid inside the glass, and a hole was made in the wall for supplying a detonating cord. Here is how it looked in the drawings and in kind. The charge weight was 100 g of “Felix”, we also used 80 g of detonating cord 45 cm long.
In this video you see an explosion - but where did the drive go? In slow motion, it is noticeable how the camera located next to the object shook the shock wave. The following fragment shows the shooting from my GoPro camera, it was further away, and here you can see in which direction the HDD part was thrown back by the explosion. They were not too big - you can see on the slides what the remnants of the HDD after such an explosion were. We picked up pieces of the printed circuit board and distorted plates, so the test result completely satisfied us.
Next, we decided to try an explosion that would do something like compression welding by welding the disc plates to each other. To do this, we decided to place a ring charge on both sides of the HDD - above and below, so that the explosions acted towards each other and squeezed the contents of the drive into one.
This slide shows a one-sided charge of 100 g of explosives and a cord 1 m long and a two-sided charge of 2x50 g with two cords 50 cm long. You see how we placed our disk before the explosion of a two-sided charge. I will demonstrate the explosion of a one-sided charge a little later.
The video shows that the disc flew off just a few feet from the scene of the explosion. You see that the disk plate was not torn from the core of the drive, as happened in the case of Felix, but the explosion perfectly pressed them together.
The double explosion did not cause such damage as the previous version of the explosive, but we saved 40% of the explosives and got excellent deformation of the plates. On the following slides, you see what the recording head has turned into, how the plates are bent, and how the HDD case covers look after an explosion.
A one-sided explosion also deforms the plates quite well, bending them in the shape of a plate, but they are not welded to each other. The slide below shows the Seagate HDD, by the way, in almost all tests, we used the HDD of this particular brand.
The Bomb Squad sapper squad had hundreds of such drills for oil wells. When a well is drilled, its walls are reinforced with concrete. Then such a thing is lowered into the pipe with a charge, it explodes and makes a small hole in the pipes and concrete through which oil from the well rushes up. When you are friends with sappers and they want to share something with you, you need to agree!
A very fast, powerful HMX explosive is placed in these rotary hammers; a little foil is placed on top of the head to form an explosive shock wave. This is a classic cumulative charge with a recess covered with a layer of copper.
We used two such rotary hammers located nearby, and in this video you see what the explosion looks like in slow motion - two torches of flame directed upwards. So, we installed such a perforator on the edge of the HDD and made an explosion.
In slow motion, you see a piece of drive flying up and to the left. The following slides show how the HDD case and disk plate look.
And here we have collected everything that remains of the HDD after the explosion. Pay attention to the hole marked with an arrow. It was formed on a metal sheet, which we used as a substrate for the tested HDDs. This is the place where the jet explosive cumulative jet fell.
The following slides show how this hole looks from the outside of the sheet under our drive, how the exit hole looks from the back of the sheet, and how the hole made in the soil by a directed explosion looks like. So the next time we decided to use a smaller version of the punch - this is how it looks on the HDD cover.
We again used a Seagate drive with a capacity of a half terabytes. If you remember, just then in Asia there was a tsunami and the quality control of the disks produced at that time was probably not carried out, since all the plants temporarily stopped working. So if you look at the statistics, you will see that almost every Seagate HDD manufactured at that time was faulty.
This time we placed on the adjacent lateral sides of the disk 2 perforator at an angle of 90 °.
The video shot by the GoPro camera shows how high up and to the side pieces of the drive fly off after an explosion. We never managed to find all the pieces of the drive to draw complete conclusions. We found only the charred part of the case and the printed circuit board, but did not find the disc plates. Therefore, we decided to make an explosion again.
We used another Seagate disc, as you can see, I didn’t even remove the warranty sticker in order to keep the guarantee (just in case). We placed a steel plate on top of the HDD to prevent fragments that could not be found later. The video shows how during the explosion it flies up.
That's what happened to the HDD case after the explosion and how the plates looked. We were able to deform them, but the explosion did not affect the drive itself.
I thought that we can still adjust the location of the explosives in such a way as to achieve the desired effect and destroy the disk in other places.
So then I used the so-called “Diamond Charge”, which is used by the guys from EOD - the unit for the destruction of ammunition, for their separation into parts. This is a plane layer of explosive that expands towards the middle, therefore, when two sides are detonated, two blast waves, amplifying, go towards each other. As a result, in the place where they meet, they turn 90 ° down and cut what is located below into 2 parts.
For this experiment, I wanted to use a patented coiled explosive that rolls flat on the surface. But it needs to be transported only in the original packaging, and no matter how much such explosives you really need, you can still only order a whole roll. We could get it, but we couldn't bring it. Therefore, we had to abandon the use of industrially manufactured coiled explosives and again turn to Felix.
I printed a container on a 3-D printer, filled it with 60 g of Felix and attached it to the HDD. We covered the drive with a large steel sheet 8 mm thick. Nearby you see a steel sheet 12 mm thick, under which there are 3 extra small perforators, which we wanted to get rid of.
The video shows how, after the explosions, the large steel sheet of smaller thickness first falls into place, and the small sheet of larger thickness, which covered the perforators, later falls directly into the lake. The damage to the disk was so minor that we abandoned the idea of using "diamond" explosives. However, it was still interesting.
We had some fun doing all these explosions, but now we had to decide how to place our explosive device inside the equipment.
So, the next kinetic method was Blast Supression, or Tamed Explosion. We had to observe several conditions:
I decided to use the first option with a ring charge - 100 g of explosives and 10 cm of ignition cord. I learned this method from an instructor in explosion engineering, they use it when you need to knock out a cylinder of a door lock. They install a “glass” with a charge around the cylinder and knock it out. Shaving foam dampens noise and reduces the spread of fragments. I placed all this inside a cardboard box.
Let's look at the video of what we got. For comparison, I give shots using and without shaving foam - as you can see, it significantly reduced the formation and spread of flame during an explosion.
Then I decided to use a more powerful Felix explosive in the amount of 75 g. The slide shows the steel corners that act as racks for HDDs in the data center, and fill the entire space between them with shaving foam.
We covered the whole structure with a steel plate, on which we placed a bag of sand. We tried to simulate a real situation and see what happens.
I think it was very impressive. The video shows how the bag flies up, breaks, and sand spills out of it. On the slides you can see the fingerprint that the HDD left on the plate on which it was installed. Both plates and corners are practically intact, no through holes. And you see what the disk case and plates turned into after such an explosion. I believe that this method can be used!
The last method of exposure is electricity. You know that you don’t really dream up with him, so the goal was to use the existing energy resources of data centers to destroy drives, in particular, SSDs. Unrealized ideas - perhaps I will return to them later - included massive demagnetization of the HDD, electromagnetic or microwave effects on drives, or the use of radio frequency attacks.
What I wanted to do was create an exploding wire bridge based on a capacitor bank and old-fashioned vacuum tubes. Unfortunately, no one was able to provide me with an unusable SSD, because this is new equipment and it has not yet failed. I love you all, but I'm not ready to spend $ 1000 on new SSDs, so I used the stuffing from a USB flash drive, it is structurally very similar to what is located inside a solid state drive. Therefore, we can conclude what will happen inside the SSD when a discharge with a large current intensity is exposed to it.
In the video you see that practically nothing happened with the flash drive chip - it just threw it aside intact. The controller itself looked normal, but everything was melted from the back. However, this method as a whole was not applicable for the complete destruction of SSD.
Next, I decided to see what happens with the flash drive stuffing, if you connect the power to the “ground” and pass a sharp power surge through it, creating something like a spark gap.
In this case, we were able to inflict more significant damage - the chip was torn off the printed circuit board and broken into 2 parts. I was interested in how much the remains of the “flash drive” were to be restored if I used an electron microscope or something like that, but I could not verify this. But potentially this method can be used, because it destroys things pretty quickly and I don’t think that the information from them will be easy to recover.
The next method of destruction I called "Inductive deformation." In the following slides, you see inductive deformation of a soda can around which coil wires were wrapped. The bank was literally torn in half.
It is clear that there is a big difference between a tin can and a solid-state drive. The next video shows a more impressive explosion of a can of water, he even swept out the rings of the coil. In slow motion, you can see how the can is first squeezed in the middle under the influence of an induction field, this compression occurs very quickly, in 10 ms, and bursts with increasing internal pressure.
However, it is not known which electricity would have to act on the hard drive in order to achieve a similar result. Therefore, this method does not suit us. Perhaps later I will return to him and do a really crazy science.
So, to summarize the test results.
The most suitable methods for destroying hard drives are:
The number of eyes lost during the experiments was 0 pieces!
There is one more thing that I would like to mention, these are mobile solutions. We are talking about data centers, but when they arrested Silk Road owner Ross William Ulbricht, also known as Dread Pirate Roberts, they took him in the public library hall. Together with him was an “unlocked” laptop, and from there they could pump out everything that allowed him to be imprisoned for committing federal crimes.
Therefore, I note that nowadays it is easy to steal data from an unprotected laptop or computer, simply by connecting to it via Bluetooth.
Feel free to contact me about ideas that are important to you. Perhaps, at another time, we will hold another DefCon conference to continue the discussion on this topic. Thank you for attention!
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to Build Infrastructure Bldg. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?
DEFCON 23. How I lost my second eye, or further research into data destruction. Part 1
Stearic acid, it turns out, is a really important component of this explosive, and if you use the wrong proportions, nothing will work. This test video shows what happens if it is not enough with respect to aluminum - just an explosion and everything shattered. This is a complete failure. When the stearic acid content is correct, this is what happens - the explosion in the video is directional and looks like a rocket launch.
What we needed was precisely a directed explosion with a cumulative effect called the Monroe Effect. When we say “cumulative charge”, it means that you have to give it a special conical shape. It can be flat, but must have a special notch - a funnel that will concentrate the shock wave. You can fill the cavity with copper or tantalum, which during the explosion forms a liquid jet stream that can cut everything that is cut. This principle is used in anti-tank armor-piercing shells, and for this there are several design solutions.
I used CAD to draw a special shape for FELIX - it was a “glass” with a cone-shaped recess in the center, the angle of inclination of the surface of the cone should be between 40 and 90 °, and the steeper the cone, the greater the penetration depth. Your projectile should be located at a distance of 2-2.5 of its diameter from the target’s surface, and the height of the explosive inside the glass should be 1.25-4 times higher than the conical recess.
I thought that it would be possible to arrange a linear shaped charge in the form of a ring, which would be mounted on the upper part of the HDD, then when an explosion exploded around the circumference of the disk plates, many burnt holes would appear. I developed the ring design of the “glass” for the Felix charge and printed it on a 3-D printer, this is how this form looks above and below. I filled it with 60 grams of “Felix” and fixed it on top of the HDD.
The video shows how the explosion occurred. At this stage of the experiment, I did not care about the localization of the explosion and its retention in a certain protective cavity, I was going to work on this later.
The consequences of the directed explosion did not please me very much - the disk plates were only twisted, so, probably, the composition of the explosives was incorrectly selected. Only in one place the disks were cut through, this was the place where the glass with explosives was located. So we did the right thing, but placed it incorrectly, because the explosion of the charge did not spread around the ring the way we did it.
I developed another model of the “glass” with radial jumpers, and at the same time I thought about how to keep the charge from preventing it from flying around. Therefore, a layer of aluminum was laid inside the glass, and a hole was made in the wall for supplying a detonating cord. Here is how it looked in the drawings and in kind. The charge weight was 100 g of “Felix”, we also used 80 g of detonating cord 45 cm long.
In this video you see an explosion - but where did the drive go? In slow motion, it is noticeable how the camera located next to the object shook the shock wave. The following fragment shows the shooting from my GoPro camera, it was further away, and here you can see in which direction the HDD part was thrown back by the explosion. They were not too big - you can see on the slides what the remnants of the HDD after such an explosion were. We picked up pieces of the printed circuit board and distorted plates, so the test result completely satisfied us.
Next, we decided to try an explosion that would do something like compression welding by welding the disc plates to each other. To do this, we decided to place a ring charge on both sides of the HDD - above and below, so that the explosions acted towards each other and squeezed the contents of the drive into one.
This slide shows a one-sided charge of 100 g of explosives and a cord 1 m long and a two-sided charge of 2x50 g with two cords 50 cm long. You see how we placed our disk before the explosion of a two-sided charge. I will demonstrate the explosion of a one-sided charge a little later.
The video shows that the disc flew off just a few feet from the scene of the explosion. You see that the disk plate was not torn from the core of the drive, as happened in the case of Felix, but the explosion perfectly pressed them together.
The double explosion did not cause such damage as the previous version of the explosive, but we saved 40% of the explosives and got excellent deformation of the plates. On the following slides, you see what the recording head has turned into, how the plates are bent, and how the HDD case covers look after an explosion.
A one-sided explosion also deforms the plates quite well, bending them in the shape of a plate, but they are not welded to each other. The slide below shows the Seagate HDD, by the way, in almost all tests, we used the HDD of this particular brand.
The Bomb Squad sapper squad had hundreds of such drills for oil wells. When a well is drilled, its walls are reinforced with concrete. Then such a thing is lowered into the pipe with a charge, it explodes and makes a small hole in the pipes and concrete through which oil from the well rushes up. When you are friends with sappers and they want to share something with you, you need to agree!
A very fast, powerful HMX explosive is placed in these rotary hammers; a little foil is placed on top of the head to form an explosive shock wave. This is a classic cumulative charge with a recess covered with a layer of copper.
We used two such rotary hammers located nearby, and in this video you see what the explosion looks like in slow motion - two torches of flame directed upwards. So, we installed such a perforator on the edge of the HDD and made an explosion.
In slow motion, you see a piece of drive flying up and to the left. The following slides show how the HDD case and disk plate look.
And here we have collected everything that remains of the HDD after the explosion. Pay attention to the hole marked with an arrow. It was formed on a metal sheet, which we used as a substrate for the tested HDDs. This is the place where the jet explosive cumulative jet fell.
The following slides show how this hole looks from the outside of the sheet under our drive, how the exit hole looks from the back of the sheet, and how the hole made in the soil by a directed explosion looks like. So the next time we decided to use a smaller version of the punch - this is how it looks on the HDD cover.
We again used a Seagate drive with a capacity of a half terabytes. If you remember, just then in Asia there was a tsunami and the quality control of the disks produced at that time was probably not carried out, since all the plants temporarily stopped working. So if you look at the statistics, you will see that almost every Seagate HDD manufactured at that time was faulty.
This time we placed on the adjacent lateral sides of the disk 2 perforator at an angle of 90 °.
The video shot by the GoPro camera shows how high up and to the side pieces of the drive fly off after an explosion. We never managed to find all the pieces of the drive to draw complete conclusions. We found only the charred part of the case and the printed circuit board, but did not find the disc plates. Therefore, we decided to make an explosion again.
We used another Seagate disc, as you can see, I didn’t even remove the warranty sticker in order to keep the guarantee (just in case). We placed a steel plate on top of the HDD to prevent fragments that could not be found later. The video shows how during the explosion it flies up.
That's what happened to the HDD case after the explosion and how the plates looked. We were able to deform them, but the explosion did not affect the drive itself.
I thought that we can still adjust the location of the explosives in such a way as to achieve the desired effect and destroy the disk in other places.
So then I used the so-called “Diamond Charge”, which is used by the guys from EOD - the unit for the destruction of ammunition, for their separation into parts. This is a plane layer of explosive that expands towards the middle, therefore, when two sides are detonated, two blast waves, amplifying, go towards each other. As a result, in the place where they meet, they turn 90 ° down and cut what is located below into 2 parts.
For this experiment, I wanted to use a patented coiled explosive that rolls flat on the surface. But it needs to be transported only in the original packaging, and no matter how much such explosives you really need, you can still only order a whole roll. We could get it, but we couldn't bring it. Therefore, we had to abandon the use of industrially manufactured coiled explosives and again turn to Felix.
I printed a container on a 3-D printer, filled it with 60 g of Felix and attached it to the HDD. We covered the drive with a large steel sheet 8 mm thick. Nearby you see a steel sheet 12 mm thick, under which there are 3 extra small perforators, which we wanted to get rid of.
The video shows how, after the explosions, the large steel sheet of smaller thickness first falls into place, and the small sheet of larger thickness, which covered the perforators, later falls directly into the lake. The damage to the disk was so minor that we abandoned the idea of using "diamond" explosives. However, it was still interesting.
We had some fun doing all these explosions, but now we had to decide how to place our explosive device inside the equipment.
So, the next kinetic method was Blast Supression, or Tamed Explosion. We had to observe several conditions:
- make several explosions on the HDD in order to guarantee the destruction of the surface of the plates;
- protect the equipment from explosive impact, that is, use the explosives only against the HDD and use damping material between the explosives and the equipment shell;
- as an insulating, damping material to use: alternative compressible or incompressible sealants, liquid or gaseous foam, inexpensive and one that, if necessary, could be introduced inside the HDD, but so that it does not completely fill it. As correctly noted from the audience, this is shaving foam!
I decided to use the first option with a ring charge - 100 g of explosives and 10 cm of ignition cord. I learned this method from an instructor in explosion engineering, they use it when you need to knock out a cylinder of a door lock. They install a “glass” with a charge around the cylinder and knock it out. Shaving foam dampens noise and reduces the spread of fragments. I placed all this inside a cardboard box.
Let's look at the video of what we got. For comparison, I give shots using and without shaving foam - as you can see, it significantly reduced the formation and spread of flame during an explosion.
Then I decided to use a more powerful Felix explosive in the amount of 75 g. The slide shows the steel corners that act as racks for HDDs in the data center, and fill the entire space between them with shaving foam.
We covered the whole structure with a steel plate, on which we placed a bag of sand. We tried to simulate a real situation and see what happens.
I think it was very impressive. The video shows how the bag flies up, breaks, and sand spills out of it. On the slides you can see the fingerprint that the HDD left on the plate on which it was installed. Both plates and corners are practically intact, no through holes. And you see what the disk case and plates turned into after such an explosion. I believe that this method can be used!
The last method of exposure is electricity. You know that you don’t really dream up with him, so the goal was to use the existing energy resources of data centers to destroy drives, in particular, SSDs. Unrealized ideas - perhaps I will return to them later - included massive demagnetization of the HDD, electromagnetic or microwave effects on drives, or the use of radio frequency attacks.
What I wanted to do was create an exploding wire bridge based on a capacitor bank and old-fashioned vacuum tubes. Unfortunately, no one was able to provide me with an unusable SSD, because this is new equipment and it has not yet failed. I love you all, but I'm not ready to spend $ 1000 on new SSDs, so I used the stuffing from a USB flash drive, it is structurally very similar to what is located inside a solid state drive. Therefore, we can conclude what will happen inside the SSD when a discharge with a large current intensity is exposed to it.
In the video you see that practically nothing happened with the flash drive chip - it just threw it aside intact. The controller itself looked normal, but everything was melted from the back. However, this method as a whole was not applicable for the complete destruction of SSD.
Next, I decided to see what happens with the flash drive stuffing, if you connect the power to the “ground” and pass a sharp power surge through it, creating something like a spark gap.
In this case, we were able to inflict more significant damage - the chip was torn off the printed circuit board and broken into 2 parts. I was interested in how much the remains of the “flash drive” were to be restored if I used an electron microscope or something like that, but I could not verify this. But potentially this method can be used, because it destroys things pretty quickly and I don’t think that the information from them will be easy to recover.
The next method of destruction I called "Inductive deformation." In the following slides, you see inductive deformation of a soda can around which coil wires were wrapped. The bank was literally torn in half.
It is clear that there is a big difference between a tin can and a solid-state drive. The next video shows a more impressive explosion of a can of water, he even swept out the rings of the coil. In slow motion, you can see how the can is first squeezed in the middle under the influence of an induction field, this compression occurs very quickly, in 10 ms, and bursts with increasing internal pressure.
However, it is not known which electricity would have to act on the hard drive in order to achieve a similar result. Therefore, this method does not suit us. Perhaps later I will return to him and do a really crazy science.
So, to summarize the test results.
The most suitable methods for destroying hard drives are:
- thermal. The plasma cutter and oxygen injection showed excellent results, and the use of combustible mixtures such as termite did not justify itself;
- kinetic. The construction gun is in the lead here, depending on its design - powder or pneumatic, and high-power explosives;
- electric. Here, the highest voltage electricity worked like a spark gap.
The number of eyes lost during the experiments was 0 pieces!
There is one more thing that I would like to mention, these are mobile solutions. We are talking about data centers, but when they arrested Silk Road owner Ross William Ulbricht, also known as Dread Pirate Roberts, they took him in the public library hall. Together with him was an “unlocked” laptop, and from there they could pump out everything that allowed him to be imprisoned for committing federal crimes.
Therefore, I note that nowadays it is easy to steal data from an unprotected laptop or computer, simply by connecting to it via Bluetooth.
Feel free to contact me about ideas that are important to you. Perhaps, at another time, we will hold another DefCon conference to continue the discussion on this topic. Thank you for attention!
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to Build Infrastructure Bldg. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?