Building a self destructing USB drive
May 22, 2014 1:02 AM Subscribe
Today's world demands high security devices, like an aggressively self-destructing USB drive. I would like advice on the possibility of creating such a thing if one wouldn't mind offering wisdom.
Hello! I have a security/electrical engineering project idea I am still fleshing out, and I would like some input on its possibilities, implementations, and execution.
For high-security PC builds, it is common to have full-disk encryption on a hard disk with the whole shebang bolted down by a TPM chip. It is also reasonable practice to use a Live OS booted off of USB and use no disk at all. My idea will focus on the latter.
I read some papers recently about the relationship between data retention on RAM chips and their temperature. RAM which is designed to not retain memory without a power source has an interval of time after losing power such that the data can still be retained, as it takes time for the electricity to "leak" out of the chips and leave them blanked. As I understand it the colder the chips are on a device, the slower the information "leaks" out of them. This knowledge can be used in a compromising manner towards the end user. For example, some clever researchers have discovered how to bypass Android's fulldisk encryption/bypass PINs/etc. by using a special recovery image and storing the phone in a very cold area. (source)
The idea: To create a USB thumbdrive with a capacitor, small battery and charging function, hereafter lovingly referred to as NUKE. NUKE's purpose is to provide immediate current to the RAM chip in an attempt to clear any data that may be remaining, or at the least mangle it enough to make it unrecoverable.
I recently realized a setup i toyed with as a child was a rapid high-discharge setup, and may be able to work in the manner i described. In my childhood years I had toyed with the flash on disposable cameras. If the two leading wires from the flash bulb were cut and stripped, the two leading wires could be applied to some [relatively] high resistance items and still discharge successfully when the button was pressed. Ask any of our friends, we tasered each other quite a bit with homemade NUKE gloves. An unsuspecting pat on the back could produce a visible wound (don't do that at home! I was a reckless child)
Following this idea along, I believe NUKE could be applied to a USB drive to inflict damage throughout the RAM chip on demand by making a complete circuit through it and pumping massive current. By extension I would hope this could be applied to SSD drives for laptops/PCs as well, so long as power requirements were adjusted accordingly.
I do not know much of the circuitry of USB devices. My largest fear is that the overload of electricity would not traverse the entirety of the RAM chip by causing too much damage in an early phase of discharge which would make the exercise pointless. Another fear is that the current surge may not do damage at all and could possibly just keep the data on the chip alive, not scramble it, etc.
Anyway, that is the idea sitting in front of me. The finished device would behave as a normal USB drive yet at the press of a button, NUKE fires and all is lost. Can anyone experienced in this field offer some input? Implementation ideas, potential problems, or other suggestions?
Thank you!
Hello! I have a security/electrical engineering project idea I am still fleshing out, and I would like some input on its possibilities, implementations, and execution.
For high-security PC builds, it is common to have full-disk encryption on a hard disk with the whole shebang bolted down by a TPM chip. It is also reasonable practice to use a Live OS booted off of USB and use no disk at all. My idea will focus on the latter.
I read some papers recently about the relationship between data retention on RAM chips and their temperature. RAM which is designed to not retain memory without a power source has an interval of time after losing power such that the data can still be retained, as it takes time for the electricity to "leak" out of the chips and leave them blanked. As I understand it the colder the chips are on a device, the slower the information "leaks" out of them. This knowledge can be used in a compromising manner towards the end user. For example, some clever researchers have discovered how to bypass Android's fulldisk encryption/bypass PINs/etc. by using a special recovery image and storing the phone in a very cold area. (source)
The idea: To create a USB thumbdrive with a capacitor, small battery and charging function, hereafter lovingly referred to as NUKE. NUKE's purpose is to provide immediate current to the RAM chip in an attempt to clear any data that may be remaining, or at the least mangle it enough to make it unrecoverable.
I recently realized a setup i toyed with as a child was a rapid high-discharge setup, and may be able to work in the manner i described. In my childhood years I had toyed with the flash on disposable cameras. If the two leading wires from the flash bulb were cut and stripped, the two leading wires could be applied to some [relatively] high resistance items and still discharge successfully when the button was pressed. Ask any of our friends, we tasered each other quite a bit with homemade NUKE gloves. An unsuspecting pat on the back could produce a visible wound (don't do that at home! I was a reckless child)
Following this idea along, I believe NUKE could be applied to a USB drive to inflict damage throughout the RAM chip on demand by making a complete circuit through it and pumping massive current. By extension I would hope this could be applied to SSD drives for laptops/PCs as well, so long as power requirements were adjusted accordingly.
I do not know much of the circuitry of USB devices. My largest fear is that the overload of electricity would not traverse the entirety of the RAM chip by causing too much damage in an early phase of discharge which would make the exercise pointless. Another fear is that the current surge may not do damage at all and could possibly just keep the data on the chip alive, not scramble it, etc.
Anyway, that is the idea sitting in front of me. The finished device would behave as a normal USB drive yet at the press of a button, NUKE fires and all is lost. Can anyone experienced in this field offer some input? Implementation ideas, potential problems, or other suggestions?
Thank you!
Response by poster: That is fantastic, thanks for the link! So if it will work for a SSD, it should work for a USB drive. That's a good sign
posted by fieldcannotbeblank at 1:27 AM on May 22, 2014
posted by fieldcannotbeblank at 1:27 AM on May 22, 2014
Ironkey devices self-destruct when you enter a wrong password too many times. You may look into the mechanism they use - they have some info published.
posted by olinerd at 2:09 AM on May 22, 2014 [1 favorite]
posted by olinerd at 2:09 AM on May 22, 2014 [1 favorite]
Response by poster: Thank you for the link as well. I like the Ironkey but it (at least the entry models) doesn't appear to be OS independent, e.g. the F100 series doesn't have *nix support :(
I looked through their documentation for some ideas, but I've finding it difficult to discover how their data blanking mechanism works. Most of the whitepapers seem to be promotional materials. From what I can tell it's not physically destructive which I would prefer, but I can't say for sure at this time.
posted by fieldcannotbeblank at 2:52 AM on May 22, 2014
I looked through their documentation for some ideas, but I've finding it difficult to discover how their data blanking mechanism works. Most of the whitepapers seem to be promotional materials. From what I can tell it's not physically destructive which I would prefer, but I can't say for sure at this time.
posted by fieldcannotbeblank at 2:52 AM on May 22, 2014
Could you short not though the flash chip, but rather through some magnesium tape wrapped around it?
posted by pompomtom at 3:33 AM on May 22, 2014
posted by pompomtom at 3:33 AM on May 22, 2014
I'd've thought thermite would be tricky to ignite from a cap.
posted by pompomtom at 3:50 AM on May 22, 2014
posted by pompomtom at 3:50 AM on May 22, 2014
I'm imagining a small charge of compressed gas which, when triggered, drives a steel pin directly through the RAM chip.
posted by Faint of Butt at 4:03 AM on May 22, 2014
posted by Faint of Butt at 4:03 AM on May 22, 2014
Response by poster: I like these ideas but they take too much time in an emergency to meet my needs. I would like the process to be as instantaneous as possible.
Some helpful ideas have been offered:
1: The NAND memory of a USB drive is designed to retain data after power is no longer supplied. RAM is not. This is what I have been told. Therefore this device would lend itself most useful to USB drives for storing data, or encrypted OS-independent volumes.
2: A fuse or fusible link could be installed right before the area where current would/could continue into the USB insertion point on a PC. This would prevent damage to a machin it may happen to be inserted in if it was used while plugged in.
3: Perhaps the battery could be bypassed altogether by using a power lead from the USB power wire itself to charge the capacitor. Less maintenance, smaller form factor, and charging could be done by just plugging it into something rather than relying on a button and battery to prepare the capacitor. This could save valuable seconds.
I like the way this is developing :)
posted by fieldcannotbeblank at 4:22 AM on May 22, 2014
Some helpful ideas have been offered:
1: The NAND memory of a USB drive is designed to retain data after power is no longer supplied. RAM is not. This is what I have been told. Therefore this device would lend itself most useful to USB drives for storing data, or encrypted OS-independent volumes.
2: A fuse or fusible link could be installed right before the area where current would/could continue into the USB insertion point on a PC. This would prevent damage to a machin it may happen to be inserted in if it was used while plugged in.
3: Perhaps the battery could be bypassed altogether by using a power lead from the USB power wire itself to charge the capacitor. Less maintenance, smaller form factor, and charging could be done by just plugging it into something rather than relying on a button and battery to prepare the capacitor. This could save valuable seconds.
I like the way this is developing :)
posted by fieldcannotbeblank at 4:22 AM on May 22, 2014
Response by poster: EDIT: Regardless, thank you everyone for your input, sincerely!
posted by fieldcannotbeblank at 4:23 AM on May 22, 2014
posted by fieldcannotbeblank at 4:23 AM on May 22, 2014
Response by poster: "Could you short not though the flash chip, but rather through some magnesium tape wrapped around it?"
Perhaps methods like that would work, yes. I envision the device to be self contained and relatively low profile though. Ideally, you could engage NUKE in your pocket if you felt threatened. With proper calibration and component choices you shouldn't have to worry about physical harm.
posted by fieldcannotbeblank at 4:25 AM on May 22, 2014
Perhaps methods like that would work, yes. I envision the device to be self contained and relatively low profile though. Ideally, you could engage NUKE in your pocket if you felt threatened. With proper calibration and component choices you shouldn't have to worry about physical harm.
posted by fieldcannotbeblank at 4:25 AM on May 22, 2014
I am no expert on the technology, but once had a day job working for a bank group that was developing (and patenting like crazy) technology to do extremely high value cash transactions over the internet. We did multiple transactions in the late 1990s in amounts of more than $20MM. Anyway… One of the things we had to be worried about was people reading the crypto keys out of our devices and creating fraudulent cash. So our devices were set to self-destruct in a wide variety of interesting ways. Anyway, I was the graphics and documents guy, not one of the hardware guys, so I don't know what our crypto keys were stored on and whether this has any similarity to how those USB drives work. But it was surprising the number of ways the memory could potentially be frozen and/or read by someone who wanted to read it. It could be heated to a certain temperature, lowered to a certain temperature, hit with a certain kind of radiation (x-ray?) in a certain kind of way, someone could try to drill into the device to gain physical access, etc. The hardware guys had to figure out ways to make the device self-destruct if any of these things was attempted, and periodically we would send one off to these guys in the NSA who would try to crack it and we would have to add other security measures depending on what they discovered. Eventually the project was killed because it wasn't obvious how the bank would be able to make money on the technology.
The point of all this is that there may be a zillion ways that someone with the proper technology and skills might be able to read the memory of a USB drive.
posted by slkinsey at 5:35 AM on May 22, 2014 [2 favorites]
The point of all this is that there may be a zillion ways that someone with the proper technology and skills might be able to read the memory of a USB drive.
posted by slkinsey at 5:35 AM on May 22, 2014 [2 favorites]
Response by poster: That is going to be the most interesting thing I will read today, I am sure of it. Radiation to retrieve data? Good lord. I know the NSA currently has an analagous capability by utilizing special devices which broadcast high freq. EM waves, I think in radio range, by using sneakily inserted spy equipment to USB risers on devices. But they were exploring these procedures in the 90's? Freaky.
posted by fieldcannotbeblank at 5:57 AM on May 22, 2014
posted by fieldcannotbeblank at 5:57 AM on May 22, 2014
Mod note: Glad you're getting some good input, fieldcannotbeblank, but this section of the site isn't really for discussion, but just getting answers to questions, so you can just relax and comment only to clarify or answer questions directed to you. Thanks!
posted by taz (staff) at 6:22 AM on May 22, 2014
posted by taz (staff) at 6:22 AM on May 22, 2014
Best answer: You don't erase data by overvolting the flash chip or setting it on fire (jesus christ).
The correct approach is to minimize the amount of secret data, make it volatile, and make it hard to get to.
So your drive encrypts all data with a symmetric cipher (like AES) on the device, before it is stored on the flash chips. The cipher key is stored in SRAM on the encryption chip, backed by a small lithium watch battery. There are tamper-sensitive sensors inside the drive housing as well as the on the encryption chip die that clear the SRAM when tampering is detected.
You could design your own encryption chip on some cheap commodity 90nm process and get it fabbed.The design is pretty simple. I bet you could do it for under a million bucks, including hiring someone to design it, fabbing, etc.
Alternatively, use an FPGA which already has all these tamperproof features already designed in. Companies like Xilinx have been doing this exact thing for decades to protect their customer's designs that are loaded into the FPGA. After all, you their FPGA customers don't want a shady competitor to read out the FPGA program and loading it into black market counterfeit products. The downside with using an FPGA is that there is most likely a backdoor accessible by Xilinx. It's strong enough to resist pretty serious industrial espionage type adversaries, but probably not the NSA (which would have Xilinx's cooperation of course).
Googling fpga bitstream security will probably turn up some interesting papers for you to read. This is a well known, established field with plenty of neat research over the years.
posted by ryanrs at 6:31 AM on May 22, 2014
The correct approach is to minimize the amount of secret data, make it volatile, and make it hard to get to.
So your drive encrypts all data with a symmetric cipher (like AES) on the device, before it is stored on the flash chips. The cipher key is stored in SRAM on the encryption chip, backed by a small lithium watch battery. There are tamper-sensitive sensors inside the drive housing as well as the on the encryption chip die that clear the SRAM when tampering is detected.
You could design your own encryption chip on some cheap commodity 90nm process and get it fabbed.The design is pretty simple. I bet you could do it for under a million bucks, including hiring someone to design it, fabbing, etc.
Alternatively, use an FPGA which already has all these tamperproof features already designed in. Companies like Xilinx have been doing this exact thing for decades to protect their customer's designs that are loaded into the FPGA. After all, you their FPGA customers don't want a shady competitor to read out the FPGA program and loading it into black market counterfeit products. The downside with using an FPGA is that there is most likely a backdoor accessible by Xilinx. It's strong enough to resist pretty serious industrial espionage type adversaries, but probably not the NSA (which would have Xilinx's cooperation of course).
Googling fpga bitstream security will probably turn up some interesting papers for you to read. This is a well known, established field with plenty of neat research over the years.
posted by ryanrs at 6:31 AM on May 22, 2014
Oh wait, you are trying to clear the RAM on the motherboard from a USB stick? No, that won't work at all. All the external ports on your computer have pretty decent surge protection just to protect the motherboard from static discharge. Even if you did overcome that, the RAM sticks are miles away from the USB port with no real direct connection.
posted by ryanrs at 6:36 AM on May 22, 2014
posted by ryanrs at 6:36 AM on May 22, 2014
PS if you want to talk nuts and bolts electronic design or how DRAM works, feel free to send me a mefi mail. I've done the cold DRAM thing myself (with my own DRAM controller, natch). It's all pretty interesting but not especially useful outside very specific cases.
posted by ryanrs at 6:52 AM on May 22, 2014
posted by ryanrs at 6:52 AM on May 22, 2014
This thread is closed to new comments.
posted by devnull at 1:24 AM on May 22, 2014