A close shave: How to destroy your hard drives without burning down the data centre Four years ago at DEF CON a popular presentation examined how best to destroy hard drives in a data centre within 60 seconds of a three-letter agency knocking at the door. Now, that research has been updated with new techniques. Security researcher Zoz looked at three core methods for destroying platter and SSD drives – …
This post has been deleted by its author
Probably better to place a capsule filled with an enchant for the magnetic film material (usually cobalt based these days) in the drive that can be triggered to spray the platters with the etchant & corrode them. The storage portion of the films are so thin (a few tens of nanometers), that they'd be destroyed in seconds.
Yes a corrosive gas or spray/fluid sounds a good idea and would allow the platters to spin for a small time (assuming the arm is brought into the rest position) to evenly coat them.
My idea was somewhat more destructive, and I'm not sure how reliable or the size of the powertools required. May not quite fit in a rack space. :P
How about blowing up a small capsule of magnetic dust?
Better still, get some radioactive isotopes. Radiation safety rules will keep the agencies from opening the housing for years.
Thermal destruction might work great if you don't blow your thermal load in a second, but instead heat the platters to an even few-hundred C.
I assume you don't mind killing the heads at the same time, so fine pumice powder would take advantage of the disks spinning and get the head to grind it in...
Alternately, corrosive magnetic epoxy resin would be handy, it'd turn the platters into one solid mass, and do a pretty good job of rendering unreadable any bits that someone managed to delaminate...
I've often wondered about the suitability of common household chemicals for this purpose. Shame the boffins didn't stop playing with the obviously unsuitable and almost certainly illegal explosives for long enough to try a selection of those... bleach, oven cleaner, nail-varnish remover, etc. Can't imagine much data would survive a hefty syringeful of bleach being injected through a breather, followed by a squirt of vinegar for good measure...
Look the premise here is that you want to blow the disks quickly because of certain government agency is going to be coming through the door. So the disk has to be usable and then while its being used... you need to destroy it.
Using an encrypted drive, a small amount of det cord will be enough or a small shaped charge... It doesn't matter if some of the platters are readable. How do you decrypt a chunk of data if you don't know the start or end of the record. At the same time... as other readers point out... there's alternatives that would be corrosive to the drives... what happens if you have a shaped charge that vaporizes a different metal that coats and melts the surface of the drives? I mean lets face it... the surface of the drives are more fragile than the drive case.
But what do I know?
I'm all for the SSD and RRAM which I think a high voltage pop would be enough to fry the machines and storage.
BTW isn't Thermite an explosive? So if you're going to risk the charge of handling explosives which could also label you a terrorist, why worry about destroying the rest of the server too?
Shouldn't degaussing be sufficient? Or maybe that was too boring.
Probably. The problem with things like this is that there's generally too much "knowledge" around that is of purely historical value. A lot of the stories that get cited refer to e.g. floppies or low density hard drives - you can forget about them entirely for modern drives.
As the density goes up what it takes to make the data completely irretrievable goes through the floor: e.g. if you physically overwrite a sector once what was on it before is lost forever - those algorithms you have read about involving multiple passes and random data belong to a different age. Significant damage anywhere on a platter essentially makes the entirety unreadable - it doesn't matter if most of the data is still perfectly intact if there is no way it can be subsequently read out.
The fact some of the methods tested are not very exciting does not mean they are not completely effective. Hell, I wouldn't want to could on it but I'd imagine simply taking the top cover off outside of a clean room environment would counter even the most sophisticated attacks a good proportion of the time.
If you're careful you can operate on a drive without a cleanroom. I wouldn't trust the drive after, but it can be done. I've done it - replaced the cover of a drive with a plastic panel so the insides could be seen. It was intended as a working demonstration drive for an IT class.
Confirmed S. Raven. I had bought a used HD that had the top/bottom clam shell not a boat... I used a USB microscope and a video camera, no cover.
Powered up XP, and commanded a conversion from FAT32 to NTFS5.
This morning I think I just found the HD with that very movie.
"[...] degauss and shred the platters and dispose of them in multiple locations."
For (some?) metal platters you can quickly reduce them to a shapeless lump by applying the flame of a standard plumber's gas blowtorch. Haven't tried that with vitreous platters.
When taking the drive to pieces you need a screwdriver set that covers small Torx screws and other "security" types.
Have had to do that incineration a few times when a drive had died and couldn't be erased. It also sidesteps the problem of there being data on any "hidden" damaged tracks that are no longer visible to the PC.
For (some?) metal platters you can quickly reduce them to a shapeless lump by applying the flame of a standard plumber's gas blowtorch. Haven't tried that with vitreous platters.
My preference - primarily because it's far more fun - is to use an Arc welder. If you're very careful about where you put the ground clamp and where you strike your arc you can have some (very, very brief) fun with the motors too. Occasionally you can get a chip to pop nicely as well, though obviously your main focus should be around the platters :)
I use a password and keyfile. The password is well over 100 chars long and impossible to remember - it's kept in text format, along with the key, on a USB drive.
I mount the data, then move the key and password file to the encrypted partition, and secure erase the USB device. When I am doing a reboot or anything like that I copy it back to the USB device
But if anyone comes knocking, the power just needs to be knocked off, and BAM! Impossible to recover
Not lost if the user still knows the password. The USB offers ease of use and plausible deniability, if also lost in the "power outage" that was "just by chance when you knocked" and "made me loose all my [encrypted] Spice Girls MP3s (with CDs on shelf as proof of usage)".
If the password doesn't have to be rememberable, then you can use a hash of some obscure file. This gives a way to recreate password, provided that you know which file it was, and it hasn't developed bad bits in the meantime. Even an AOL installation CD would suffice. Har har.
Great. Someone knocks one the door. Your plan goes into action..."sorry guys, it's encrypted and I destroyed the key".
Then an extended stay in A windowless room because they don't believe you.
I like the methods listed because even a jackbooted thug could look at a hard drive punched through with nailholes or melted with thermite and figure out that you really cannot get the data off it.
He said nothing about whether he keeps a backup copy or two of PW & keyfile at secure & obscure offsite location(s). A TF card wrapped in tinfoil* could easily be secreted in any metallic environment.
Of course his mounting procedure should involve overwriting the entire USB device rather than just erasing the files. Which will significantly reduce the lifespan of the thing but with small thumbdrives so cheap that isn't the problem it once was. It would also be sensible to ensure the keyfile(s) are sufficiently sizable to overwhelm any wear-levelling reserve. With TC using no more than the first MB of every file, a directory holding a decent MP3 collection or JPEG library would be practically perfect.
*aluminium might suffice for the less puritanical ;-)
Liquid nitrogen for 30 seconds then your choice of explosives, C4 being a rapid explosive would be my personal favorite.
Of course, if a certain tthree letter agency was knocking on your front door, they might ask why you were exploding things, maybe more criminal charges against you as opposed the owner of said hard disk.
Of course, if a certain three letter agency was knocking on your front door, they might ask why you were exploding things
Ah, you're right. You need to build up plausible deniability. So, start blowing things up frequently, just for fun. That way, the explosions when they enter the building won't look out of character.
Yeah, I couldn't sell it to the IT director either. Was worth a try, though :).
Oh, I think we can ignore that, because the original premise pretty much ignores that too. All of your data goes at the exact moment the three letter agency knocks yet you claim you were running a legit business? Nope, you're taking a long vacation overseas. Probably someplace that will make Gitmo look like the Rivera.
...with just a perspex cover over the opened drives with exposed platters.
The knock at the door means you walk in with a hammer and chisel and go to town on the platters within seconds.
However, being found standing next to a load of destroyed sparking smouldering HDDs would make you look like a guilty puppy sitting next to a pile of poo.
It does seem like he could have pursued degaussing options. I'm thinking perhaps the kind of electromagnet people use to shrink coins, only bigger. If you could do the same thing to the platters, I think it'd be pretty safe to say the data is irrecoverable.
Though the "safe for a data center" criterion might become an issue again.
>>60 seconds of a three-letter agency knocking at the door.
This reminded me of a custom spring loaded security door mentioned in "The Construction & Operation of Clandestine Drug Laboratories".
Might give a person a lot more time to destroy drives... as long as they can get into the room and close that door.
An auto-destruct button would certainly be cooler but.. I really liked the diagrams for that door too.
Really, why go to all the physical risk and effort apart from the fireworks in testing?
Doh, I just answered my own question...
But really the answer is much simpler: all disks encrypted with a long random block of data that is stored on a chip, and then just zap the chip with a high energy discharge while rebooting the servers in to the usual memory testing slow BIOS start-up that you always use as you worry about data integrity if your RAM is not checked. Key gone = data gone and in-RAM copies overwritten as well.
Chlorine trifluoride and gases like it have been reported to ignite sand, asbestos, and other highly fire-retardant materials. In an industrial accident, a spill of 900 kg of chlorine trifluoride burned through 30 cm of concrete and 90 cm of gravel beneath.
The compound reacts violently with water-based suppressors, and oxidizes in the absence of atmospheric oxygen, rendering atmosphere-displacement suppressors such as CO2 and halon completely ineffective. It ignites glass on contact.
Fun stuff.
It is extremely reactive with most inorganic and organic materials, including glass and teflon, and will initiate the combustion of many otherwise non-flammable materials without any ignition source. These reactions are often violent, and in some cases explosive. Vessels made from steel, copper or nickel resist the attack of the material due to formation of a thin layer of insoluble metal fluoride, but molybdenum, tungsten and titanium form volatile fluorides and are consequently unsuitable.
Not sure how you modify HDD to use it. Sounds like it will do in SSDs too!
It's likely you are mad if you consider it as a rocket fuel
https://en.wikipedia.org/wiki/Chlorine_trifluoride#Rocket_propellant
It is also hypergolic with such things as cloth, wood, and test engineers, not to mention asbestos, sand, and water
>"is also hypergolic with such things as cloth, wood, and test engineers'
Now we're cooking with gas. That's a truly incandescant mental image. Never mind puny crucibles or chicken fat bars of iridium, if you can ignite test engineers then you're truly on your way to world domination.
"WTF? Which industry has a plant/facility that requires having 900 kg of alien blood such as this around? And in one container? Or even one county?"
You can read all about the terrors of Chlorine Trifloride it in John D. Clarke's book on the development of rocket fuels called "Ignition!" (pdfs are available). Below is the relevant section:
"Chlorine trifluoride, ClF3, or "CTF" as the engineers insist on calling it, is a colorless gas, a greenish liquid, or a white solid. It boils at 12° (so that a trivial pressure will keep it liquid at room temperature) and freezes at a convenient -76°. It also has a nice fat density, about 1.81 at room temperature.
It is also quite probably the most vigorous fluorinating agent in existence — much more vigorous than fluorine itself. Gaseous fluorine, of course, is much more dilute than the liquid ClF3, and liquid fluorine is so cold that its activity is very much reduced.
All this sounds fairly academic and innocuous, but when it is translated into the problem of handling the stuff, the results are horrendous. It is, of course, extremely toxic, but that's the least of the problem. It is hypergolic with every known fuel, and so rapidly hypergolic that no ignition delay has ever been measured. It is also hypergolic with such things as cloth, wood, and test engineers, not to mention asbestos, sand, and water — with which it reacts explosively. It can be kept in some of the ordinary structural metals — steel, copper, aluminum, etc. — because of the formation of a thin film of insoluble metal fluoride which protects the bulk of the metal, just as the invisible coat of oxide on aluminum keeps it from burning up in the atmosphere. If, however, this coat is melted or scrubbed off, and has no chance to reform, the operator is confronted with the problem of coping with a metal-fluorine fire. For dealing with this situation, I have always recommended a good pair of running shoes. And even if you don't have a fire, the results can be devastating enough when chlorine trifluoride gets loose, as the General Chemical Co. discovered when they had a big spill. Their salesmen were awfully coy about discussing the matter, and it wasn't until I threatened to buy my RFNA from Du Pont that one of them would come across with the details.
It happened at their Shreveport, Louisiana, installation, while they were preparing to ship out, for the first time, a one-ton steel cylinder of CTF. The cylinder had been cooled with dry ice to make it easier to load the material into it, and the cold had apparently embrittled the steel. For as they were maneuvering the cylinder onto a dolly, it split and dumped one ton of chlorine trifluoride onto the floor. It chewed its way through twelve inches of concrete and dug a three foot hole in the gravel underneath, filled the place with fumes which corroded everything in sight, and, in general, made one hell of a mess. Civil Defense turned out, and started to evacuate the neighborhood, and to put it mildly, there was quite a brouhaha before things quieted down. Miraculously, nobody was killed, but there was one casualty — the man who had been steadying the cylinder when it split. He was found some five hundred feet away, where he had reached Mach 2 and was still picking up speed when he was stopped by a heart attack."
Some years ago a colleague was wiping some tapes with an AC-powered (mains) bulk tape eraser. I thought I'd see how effective it would be at wiping out the data on an (already failing) laptop drive. I positioned the degausser above the drive and pulled the trigger. The resultant effect was the drive leaping to the sole plate of the tape eraser and vibrating violently at the power line frequency. I did this at least a half dozen times, amusing myself with how high I could get the drive to leap from the table. Amazingly when I hooked it back up I could still read most of the data with no problem (even in Windows with no recovery tools), and a disk check found only a few more errors than it did on this already failing drive. True, I didn't remove the platters from the aluminum casing, but still, I expected a rather more dramatic effect. I hope it at least worked better on tapes.
Faraday cages don't make the slightest difference to magnetic fields. They stop electrical fields. Until your magnetic field is oscillating at radio frequencies you won't see enough of an effect from a Faraday cage to make a measurable dent in the magnetic field intensity.
Shielding a magnetic field is extremely difficult, usually done with Mu-metal cages. These have all sorts of problems in implementation, not the least of which is that they saturate and cease to shield at all in the face of high intensity fields.
The bomb squad also gave him a couple of shaped charges that would normally be used to blast out the side of oil wells. While these punched through the drive's platters admirably, they also went through the quarter inch steel plate the drive was resting on and pummelled another 15 inches into the ground
A high amperage short should cook a drive nicely or discharging a large high voltage capacitor through a drive could be more sparkly and might work.
An alternative would be to fire a rifle sized blank directly into the casing through a pre cut hole, I bet the high speed high temperature gasses would do a good job of making the platters unreadable.
Quite easy to rig up too.
It's not really a suitable solution if you care about being sure the data is actually gone/unreadable.
For the paranoid, the following are just a few examples of the possible issues that might lead to the data being recoverable
- NSA has cracked it (as you say - though unlikely on it's own)
- Manufacturer has fouled up the crypto implementation, so it's not as well encrypted as you thought
- Manufacturer has bollocksed up the key erase, so they key's still there if you know how to access it
There are probably a good number of other possibilities too, and whether they're applicable depends on how much you need to protect the data, and who might get hold of the drive.
Ultimately, if you want to be sure the data is gone, the only solution is the physical destruction of the drive. For most people, that probably is overkill, but ISE is a "should be good enough" solution rather than a cast-iron guarantee.
"the only solution is the physical destruction of the drive"
Yes, if the problem is to destroy the data on the drive. But it should be quite easy to set things up so that only encrypted data is written to the drive and the decryption key is only held in volatile memory. You also need to keep a key somewhere else, like on a piece of paper, for example, in order to survive ordinary power failures, but you have now reduced the problem to one of quickly destroying a piece of paper, which is a much older problem, with established solutions for use by old-school spies.
I tend to use a large drill bit with a cordless Li-ion drill, and drill a couple of holes, but that requires having the drive top accessible and manual use of a drill, I then completely dismantle the drive and often add multiple scratches across the platter surfaces too. Destroying all the big chips on the drive PCB would be a good idea too, to destroy any data, including calibration and configuration data. Yes, someone may be able to recover some platter data, however the holes, burrs and any scratches would probably challenge or destroy drive heads.
Other possible physically destructive solutions include:
* the rapid injection of aggressive de-greasing solvents mixed with a little abrasive dust via an inflow pressure valve near the edge of the spinning platters, while there are rapid head movements, to abrade the platter surfaces, with an outflow pressure valve to clear some used solvent; this would probably work best if the de-greasing solvents and abrasive dust was not electrically conductive, and may cause rapid destruction.
* a fuel air explosion inside the drive, which may be far more effective at destroying more platter surface than other types of explosive.
Another layer of security would be to have symmetrical hardware encryption (like AES256) with a unique key for every drive, so that when the cypher electronics is erased or burnt the key to decrypt the data is permanently lost.
Two things I have read and seen work.
1. Coke (original?) is acidic and will eat the surface of the platters. Now the problem is getting it into your drive when needed.
2. Heat. Heat will remove all magnetism in the material. It randomizes the magnetic poles. All you need is 200 to 300 degrees for a few minutes and your drives are totally erased. The temperature required depends on various factors but with the new drives, it may be much lower. Some magnets can be demagnetized at less than 100 degrees.
Temperature and Neodymium Magnets
http://www.kjmagnetics.com/blog.asp?p=temperature-and-neodymium-magnets
Put drives at risk into an insulated steel box with a blow torch that is designed to ignite when the "alarms" go off. By the time the three letter agency can cool it down, there is nothing left to work with. If the heat is high enough, the SSD's will also be destroyed.
It is reported that SSD's will also lose there data at elevate temps, though higher than 125 degrees.
As some data centres are using mineral oil baths for cooling, all you have to do is heat the mineral oil to it's boiling temp at about 300 degrees. Just need to do it quick.
I once worked on an air crash investigation where a plane overshot a runaway on landing. There was a huge fire, and we got our box back with a request to read out any fault codes and calibration data that are stored internally in flash. Basically there was nothing left of the PCBS, except a pile of fibre glass strands and a birds nest of the copper PCB traces. Also the flash devices were in MIL ceramic packages. These packages have a ceramic lid and base, and are "glued" together and sealed with glass. Well, the glass had melted, and the ceramic top and bottom of the packages had come off.
Long story short, the manufacturer of the flash chips read the data out of the bare die no problems. I think you need more than 125°C to ensure their destruction.
I seem to recall a device, about the size of a washing machine, that was purpose built for the job. It punched a specially designed drill bit into the drive, which not only drilled through the platters, the vibrations left ripples in the platters. It even had a conveyor belt for more than one drive.
However, it would fail the 60 second requirement, I think the order lead time on the device was a bit longer than that.
How about encasing the drives in an inductive heating coil, similar to what is used to harden drill bits, gears, and other metallica? When you say the special code word "Shitstorm", high current is passed through the coils, reducing the drives to slag very quickly, with minimal damage to adjacent servers...
Hm, placing a custom heat sink across the electronics and the top of every drive is a good idea. After all, drive shelves get hot and you can't be too careful. It's not your fault the sinks suddenly became sources turning all the silicon on board white hot in a matter of seconds and burning right through the casing.
Surf the dark sides of the Internet and click on everything possible ... buttons/links/images and let the root kits, trojans and crypto bugs do the rest. You hit two birds with one stone - surf the dark Internet without any worries and have a useless drive afterwards.
Power bar from explosions everywhere. Plausible deniability.
Seriously, there are so many ways of instantly destroying data. The main problem is NOT actually protecting the data centre. The real challange is doing it in a way that only destroys the dodgy bit and does so in a way that is undetectable.
So perhaps you need to have all the dodgy data stored on known devices with no backups. Or records.
So, if you can be sure that the device(s) has /have actually properly died you actually need to advertise the failure as an alarm.
How you do that....
I think the speed requirement may rule out killing spinning rust.
Add a routine to the drive's firmware to spin the disks too slowly to lift the read/write head, then have the head scrape rapidly back and forth across the rotating disks. Massive deliberate head crash.
Of course that'd take a decent knowledge of the drive's circuitry, but they are hackable... http://spritesmods.com/?art=hddhack
I have used a professional tape degausser, a powerful electromagnet which changes polarity 60 times a second. I have held it on one side of a hard drive for a full minute, flipped the drive over and applied it to the other side for a full minute. I might as well have been stroking it with a feather. Unless you might try a crane magnet, my experience with degaussing has proved it ineffective.
Degaussing is extremely unreliable when destroying data, and the only way to check if it has been successful is to read the hard drive.
It might not be sexy, but erasure using an approved product, deems data irrecoverable. Alternatively physically shredding the drive is effective.
What I am unaware of is a method taking less than 60 seconds which effectively destroys data without endangering human life.
Position under the rack and install some remotely triggered solenoids that can pull the disks out of the frame so they fall in and crunch.
This post has been deleted by its author
/The/ rack? Only one? We're talking about a DC here..
Possibly substitute your triggered solenoids for shaped charges or 10 gauge.. but may be a little noisy heh?
How about (thinking Google-sized DCs) simply have an auto-reverse on the coolant system? Instead of pumping cold in, pump hot: instant death for data outflow & (if allowed to runaway) physical meltdown into a heap of aluminium/silicate slag
(for.the GCHQ operatives watching, I'm copyrighting & patenting this idea..)
Under UK laws, if you destroy the key, you can be imprisoned indefinitely until you hand the key over... which you can't as you don't have it. The law assumes if they THINK you have it, then you have to hand it over, even if you don't have it. If they THINK you have a key, they can hold you indefinitely. And you can't tell anyone you've been asked for the key, not even your own lawyer. So you can tell you lawyer you have been held, and he can go to a judge and say my client is being held and I can't say why, and the judge will tell him to go away and find out. But he can't, as no-one is allowed to tell him you've been asked for a key.
No, I'm not making this up.
A/C for obvious reasons.
... pump a few milliliters of an appropriate solvent (acetone?) into the casing. Clean platters within seconds, NO way to restore. Check beforehand that the coating is removed by solvent, use platters of dead disk to test.
I admit that I have no (good) ideas how to build the injection mechanism.
For SSDs, high-voltage frying should be easy in comparison to the above; you need to make sure you actually fry the memory chips proper. A magnetron could well be a workable option.
Make sure all of the above works within seconds and when power is cut (don't forget that "power cut" can imply "pitch black").
You are welcome.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
