This DEF CON 23 presentation by Dr. Andrew ‘Zoz’ Brooks turned out a blast, so read about the ways to destroy data on hard disks, and don’t try this at home.
Hello DEF CON! I’m actually going to break with tradition this time and start one minute early, because I have so much shit to show you guys that I’m worried about how much I can fit in here. I have not counted, but I’m reasonably confident in saying that there are most explosions in this presentation than any other DEF CON presentation in history, which is crazy because it’s nearly a quarter century of DEF CON – can you believe it? That’s totally blowing my mind.
A lot of projects are not solo, but this one is very much not solo. I called in so many favors in working on this project (see right-hand image). A lot of friends went above and beyond to help me out, so this is their old school anti-splash screen hacker thanks. I think the only person who made it to CON this year is RF, so hopefully he’s awake and watching. I was inspired to do this by a talk at DEF CON 19 by Bruce who just spoke in here, and Deviant and Shane (see left-hand image). They were running some kind of data center that had very valuable stuff on the hard disk in that data center. And they were sort of kicking around some ideas like, you know, it could really be a target for some criminals to come and steal everything. So could you have a switch that you could flip to destroy physically all of the disks in your data center? I thought this was pretty cool and I really wanted to kind of do a follow-up and do some experimentation of my own.And then four years later I thought about, well, where are we now? We have actually had data centers be physically raided and have all this stuff stolen: TorMail, the multiple Silk Road(s), and Snowden taught us that we don’t really know how much we can trust crypto, because our endpoints are so insecure. Your crypto is only as secure as the keys, so think about it. At the NSA, when they get rid of encrypted drives do they just throw the drives away? No, of course they don’t. They destroy them completely.
So here are the goals (see right-hand image). Flip a switch, drives are gone, no bits left standing. Protect your data center against highly motivated criminal organizations such as the three-letter government agencies. And then of course the big one – produce a lot of destruction pr0n for the DEF CON audience, for all of you here. That means more thermite, more high explosives, and more voltage. These are the rules that Bruce and Shane and Deviant came up with (see left-hand image). And I’m going to mostly try and follow them. You have a 1U server with your equipment in it. You have 1U above and below for whatever you want. I personally, when I was doing this, tried to keep all the actual destructo equipment in 1U so that the other 2U could be used for protection, hot gas extraction and so on. 60 seconds to completion – I really want to make a joke about Bruce and Deviant and Shane here, but I won’t. Don’t set off the fire systems. Don’t set off the seismic sensors in the nearby banks. I don’t really care about that, so don’t worry about that. Contain the damage within the equipment. And protect any nearby humans. A quick word on hard disk technology (see right-hand image). Data centers still use a lot of spinning platters. These tend to be made out of aluminum, and now more frequently glass, and glass smashes easily. So most of this stuff is with aluminum, and almost everything I do here will also work on glass. The coating is really interesting of hard disks. They have underlayers of a cobalt-nickel-iron alloy. The magnetic alloy actually is cobalt, chromium with platinum. And these layers tend to be separated by four atom layers of ruthenium. So the surfaces of hard disks are very chemically unreactive actually. And now of course, not so much in data centers, but we are starting to see solid state drives, so I wanted to do a little bit of stuff with them, too. Here are the results from DEF CON 19 (see left-hand image). They did three categories and they split it up between the three of them. Deviant worked on incendiary. And the results were they had some regulatory issues with possible deployment, because they were working with Tannerite, which is used for making explosive targets. And legally, to set off Tannerite you have to shoot it. They did some melting of the aluminum platter hard disks using propane and MAPP gas. And what they discovered was the drive is an excellent heat sink. It’s a big chunk of cast aluminum, the patters themselves are often aluminum, so they suck up heat like crazy and they are hard to melt.They did some chemical injection, and it was basically a total fail. They injected various corrosives, and the hard disks are quite chemically unreactive. The most fun they had was with physical tools. They used a lot of woodworking tools such as hole saw, spade bit and grinding disc. They got things hot and burned themselves a lot. You should definitely watch the talk, I was going to say that earlier. I don’t want to say too much about the actual talk – just go online and watch it. It’s very amusing. And then, they did some electro-deplating of the platters, which worked great on the glass platters but completely failed on the aluminum ones.
Just a word on how they destroyed drives industrially (see right-hand image). When they decommission disks they mostly degaussed them and then threw them into a shredder. So when you are getting rid of drives you want to predict your adversary. The TLAs are able to collect and exploit physically destroyed drives. I talked to a guy who did EOD work in Iraq, and he was under instructions from the NSA that if he found any hard disks that were not crushed and burnt – to send them in, they could get stuff off them. So if you want to nuke a drive from orbit, degauss it, crush and shred, and burn. So here, since I’m in the 101 track, even though this is mostly original research, here’s my one 101 slide (see left-hand image). For anyone who’s here for actually a 101 talk about how to destroy their own hard disks at home, you can leave satisfied after this slide. Open your drive – this usually takes a Torx T8 bit; remove the platters – this usually takes Torx T6; rub it with a rare-earth magnet to degauss it; crush, break, deform it by the method of your choice; then burn it; then separate the debris. Don’t dispose of it all in the same place. Separate it and throw it away. Alright, so the rest of this talk – hopefully interesting to you, not necessarily useful. I too decided to use three different techniques with this: thermal, kinetic, and electric (see right-hand image). The goal of doing a thermal method with a drive is basically to exceed the Curie point of the magnetic media. For cobalt that’s 1115º C – at that point it becomes magnetically disorganized and theoretically nothing can be read from it again. Here are some things that I didn’t do that you can either try or realize why I didn’t do them (see left-hand image). I really wanted to look at some flameless chemical reactions. I couldn’t find any that got hot enough. Of course you can make a kickass oven and bake a disk. That is not exciting to watch. You can inductively melt aluminum very easily. You can get a big inductive furnace, it’s nice, I’ve used them before. I would have liked, I guess, to drop a hard disk in one and watch it melt, but I didn’t do it.So method number one, the good old plasma cutter (watch video below). Starting off keeping things simple. I had used plasma cutters many times and I expected it could make much more of a mess with a hard disk.
But as you can see, really nice, it completes in about 40 seconds. It’s very easy to contain using, you could build an array of plasma cutting heads that would match the disk. Looks pretty good so far. Oh, this drive is powered up and spinning – I wanted to see if it would keep spinning, and so just one insertion point would be enough to destroy the top platter. It will start to leak out a little bit down the bottom, which will let you know that it’s done. Very nice.
This drive stayed hot for a long time. This shot (see right-hand image) is after I repeatedly burned myself taking out the screws. You can see that it has killed some of the top of that platter. Here’s a close-up shot of it (see left-hand image). So it spun for a little while, but not for very long. It thermally seized up quickly and there was some damage to the top of that platter all the way around. But then it stopped and it just burned a big fat hole through there. And if you look at the lower platters, the hole went through but they are not damaged anywhere else (see image below). So you can’t rely on the drive spinning for this method. You have to have multiple cutting heads parts. That’s the fully disassembled thing (see left-hand image). Didn’t make a lot of a mess. Totally feasible, in my opinion. Next, I thought, well, these guys used propane torches and MAPP gas and so on in the previous talk; what if we could just use the drive itself as the fuel? Like pump oxygen through the drive and start it off with a little magnesium or something and just see if the drive will consume itself (see right-hand image).So here’s oxygen injection (watch video below). I drilled a little vent hole that you can see venting out there. Eventually I melted the oxygen hose and had to turn the oxygen off, so didn’t really go to completion.
Here’s a high-speed shot with the FS700. There we go. So, you know, a little bit of a containment issue, but I feel like I could easily figure out an engineering solution to this with an extra 2U of insulation and air extraction.
That’s what it looked like before opening (see right-hand image). And inside it did make quite a mess (see left-hand image). There it is after cleaning off the platter. And you can see the platter is nicely melted on one side. With some more engineering effort here and just pumping a lot of oxygen through this narrow 1U space, I feel like I could make this consume the whole drive. So I’m going to call that potentially feasible (see right-hand image). But I know what everyone is here to see, and it’s the first thing anyone ever talks about when they talk about drive destruction, which is thermite (see left-hand image). What I really wanted to do here was create a slurry thermite that I could pump into the drive when you pushed the switch, and it would just really fuck it up big time. So I experimented with doing some slurries. First of all, since this is 101, here’s the thermite reaction. I know you all know this. Iron and aluminum swap their oxygen partners like they’re at a swingers party, and it releases a lot of energy. You can get up to about 2500 ºC. 3:1 (iron oxide:aluminum) by weight if you use iron(III) oxide.Here I am, stirring up a slurry (see right-hand image). It looks really nice, you know. It’s very-very smooth and gooey, and you could really easily inject it. I thought this was great. But in retrospect, the bright silver color that you see there – remember it’s silver, aluminum plus red iron oxide – it should have clued me into what was going to happen next when I tried this.
So here I am, trying to set off the slurry thermite with a blowtorch (watch video above). You can see this is eight times sped up, so it’s really not reacting very pleasantly, it’s not helping me out at all. So my theory is that the solvent is forming micelles with the oxide inside and the flake aluminum sticking on the outside. It’s just preventing them from reacting very well. And I tried a bunch of different solvents, such as glycerin, petroleum naphtha, and kerosene. And you can see afterwards, if I run a magnet over it, that very small amounts of elemental iron are being produced, not every much at all. So a reaction is just not really happening here. Probably the oxide is just being blown out with the smoke. And when I flipped over that disk top that I was burning, there’s no damage to it at all. It really didn’t get hot enough. So total fail.
The next idea was, well, if you open a disk there’s quite a lot of space inside it. So, you know, if we were really paranoid running a data center we could hide thermite inside that drive, just for when we needed to use it (see right-hand image). So I pulled off some unused pins from the disk bus connector to use them as the igniter, and I found that you can fit about 15 grams of thermite inside a drive.And the heads don’t need to move into that space (see left-hand image), so you can still read and write to the drive with that in there. This kind of thing always makes me feel like some kind of sketchy drug dealer or assassin when I do this. But it really makes me laugh, because when you go through the airport and they make you turn on your electronics – totally worthless. There’s plenty of room for destructive shit inside electronics that still function.
So here is the shot with the pre-inserted thermite (watch video above). Not too bad, right? We can deal with this inside 1U. We opened it up, and you can see that a lot of stuff has burnt and this stuff is all over the platters. But upon a little closer examination here, we start to see the nice shiny non-stick chemically unreactive platters coming through (see right-hand image). And when it’s completely washed off, actually bugger all has happened to those platters. Total fail. So alright, I wasn’t ready to give up yet. I know that in military thermite grenades they actually don’t use straight thermite – they use what they call ‘thermate’, which is 70% thermite and 30% barium nitrate (see right-hand image). What the nitrate does is produce extra gas to move everything around and spread around, and it also burns hotter.So here’s 15 grams of thermate inside the drive (watch video below). Much more violent, as you can see. And here is a high-speed shot of that, just to titillate everyone. The top of this drive, by the way, is screwed on really hard, but that doesn’t matter for the thermate, it’s happy to pop it open a little bit and spray out like crazy. It’s actually producing much more sparks and debris and so on than the plasma cutter.
But, you know, we could still probably deal with this if it works. This just goes and goes and goes. I don’t remember the frame rate this was shot at, probably 240 or 480. Anyway, that happens for a long time. So, I carefully opened it up with a glove this time. Quite impressive compared to the straight up thermite. I guess there’s a reason why the military uses this formula.
So I had high hopes, I was happy. Taking a closer look at the platter, there’s all kinds of crud all over it (see right-hand image). Molten iron has been spread about the place. And then when we clean off, though, we see some good things (see left-hand image). There’s some iron that welded itself to the read head. We had some pretty good heat deformation of the platter there, and we’ve welded the platters together over here. But ultimately, most of that platter is probably still recoverable by electron microscopy techniques and stuff like that (see right-hand image). So once again – fail. Well, there are other types of thermite. For example, copper thermite (see left-hand image). So exactly the same thing happens: it’s copper oxide and aluminum, the oxide switches over, 4.4:1 (copper oxide:aluminum) by weight. It’s a very aggressive thermite (watch first video below).So let’s see what happens when we stick as much as we can of that (watch second video below). Oh, first of all, I thought, well, that stuff rules, it really surprised me how fast it went, so maybe the slurry will work with this stuff.
It made up one of the best slurries, so I blowtorched the shit out of it, and it burns a lot better than the iron thermite slurry. But still, the reaction is very much retarded by the slurrification agent.
Anyway, let’s stick some of the drive, not slurry version, and see what happens (watch video above). We can work on the drive delivery mechanism some other way maybe. This is another high-speed shot. Keep watching, because, once again, the lid of this drive is really screwed down tight, and you’ll see the lid exiting stage right. But keep watching, because you will also see the drive eventually coming from somewhere airborne. This experiment coated most of the workshop in copper, so everything in there is now going to have excellent conductivity.
So that’s the inside of the top plate (see right-hand image). You could really make some nice art with this technique, so I’d like someone to tell Eddie the Yeti to really go and kick things up a notch over in the vendor area. That’s what the drive itself looks like (see left-hand image below). You can see it has really got everywhere, as you would expect from that shot. And looking closely at the platter, you can see that it has stuck a lot of things to the platter. You can see elemental copper has pulled all around the drive (see right-hand image), looks pretty nice.So let’s wash it off and see how things really look – boo to you, copper thermite (watch video below). Some of it stuck, it definitely made a bit of a mess, but ultimately we have to say “Infeasible but fun”.
Alright, time to get serious here. And I thought, well, the way people would really talk about thermiting drives is they get a whole bunch of thermite in a crucible above the drive and just try and melt straight through it (see right-hand image). So I thought, well, let’s see if we can do this in 1U. So I built a ceramic mold that would fit in 1U if I made it little more carefully. 250 grams of straight up iron thermite. What I did was use a piece of Styrofoam to fill the interstitial space in that ceramic material, made it match exactly to the drive so that I could clamp it on (see left-hand image above). And there it is (see right-hand image), all that area filled with thermite. Let’s see if that’s enough (watch video below).As you can see, my careful containment worked perfectly. Incidentally, the workshop has a large area rug on the floor. This shot set a significant portion of that rug on fire.
That looked so impressive! Surely, there can’t be too much left of the drive that we just did that to. Once again, I’m now taking no chances with how hot things are after doing this stuff.So we can see plenty of elemental iron that has pulled into little nodules and clumps on top of the drive, and it’s made its way through the top of the drive, through that little hole there (see right-hand image). And inside, it has certainly made a mess of the drive electronics, but I’ve already brushed that with my finger and I’ve seen that we still have plenty of nice clean platter in there (see left-hand image).
Look at that. It looks almost as good as new. So, unreliable (see right-hand image). Next time someone says “Oh yeah, drive destruction, thermite – no problems,” just remember that they are a huge heat sink and you’ll need a lot of thermite to do it properly.
Alright, moving on to part 2 – kinetic (see right-hand image). The goal here was to deform, spindle, mutilate the drive, basically, severely retard any form of mechanical scanning to be done after the fact. And so, obviously, as I said at the start, that would have to be used in conjunction with degaussing. Degaussing is not fun to watch, so I did not do that. I had a bunch of ideas but I didn’t do all of them. One was to do a horizontal hydraulic crusher that would fit in 1U and just squeeze the drive to bits. I was pretty sure it would work, so I didn’t bother doing it. I wanted to use some other high pressure cutting tools, but, again, that was just for fun, because to build a water jet cutter into your data system is just probably a little bit infeasible.Instead, I wanted to start off with some percussive methods. One of the tools that I’ve used a lot in my place is this concrete penetrating nailgun (watch video above). This uses a propellant charge, basically, a 22 caliber blank to drive nails into concrete. This happens so fast that at 480fps you can’t even really see the nail – it just is long gone through this cinderblock. Here’s another shot with this. You have to hit it with a hammer, this particular tool, to make it go. You have to do something a little different for actually doing on hard disks. But you can see there the plastic that holds the nail in the barrel fly out, and you kind of slightly can see the nail.
I milled the end off the drive so that we can see what happens (watch video above). Well, it’s spinning and we hit it with the nailgun – boom! No problem at all going through the cast aluminum, bottom of the drive, and through all the platters. This actually cracks the cast aluminum. There’s a close-up of it (see right-hand image). You could build an array of these things. It just punctured the disk in multiple places. So I think – totally feasible.We also had a pneumatic nailgun around, and I didn’t have high hopes for the pneumatic nailgun, because it didn’t involve any form of chemical propellant or explosive. So I was like, you know, how good is that gonna be? But let’s give it a shot anyway. I didn’t even use a new drive for it. But it turns out, it goes straight through the fucking drive (watch video below). Really nice!
And it uses a big flat pancake cylinder (see right-hand image). The one that’s on this particular nailgun is big, but you could quite easily build a low-profile pneumatic cylinder that would fit in your extra 1U that you have according to these rules and just punch through the drive in a whole bunch of places. So, quite nice. There’s a close-up shot of those nails (see left-hand image), just got all the way through. And they went out the other side. Again, totally feasible. So, thermite – 0, nailguns – 2. But this is what we’re really excited about (see left-hand image), right? This is why we came here. There’s no doubt that we can destroy drives with high explosives. We also get thermal factors as a bonus, we can do explosive welding. So the goals for me here were, alright, let’s see if we really could confine this explosion to the rack equipment; and I personally had been wanting for some time to experiment with some new techniques: a binary liquid explosive, and 3D-printing shaped charges. And then, another sub-goal here was, for me personally, to pass Go, collect $200 and not go to jail for this. So, let me introduce what I’m calling FELIX (see right-hand image). This is a commercial high explosive, a liquid binary. It is expensive, I did not want to pay for it. So I decided to clone it. I’m not going to say its real name, but it rhymes with FELIX, and I’m calling it “Field Expedient Liquid eXplosive”. It’s very similar conceptually to Tannerite and KinePak, which is ammonium nitrate and aluminum powder as a sensitizer. I reverse engineered it from the commercial product. It’s based on nitromethane. As a sensitizer I used stearic acid coated, 5-50 micron aluminum.That means, these individual components are simple to ship – they are just HAZMAT. They are not explosive until they are mixed. This is the stoichiometry. I still don’t know the ideal ratios, but that’s the reaction. So the nitromethane is the high explosive, it decomposes by itself. The aluminum acts as a sensitizer, but the aluminum then is consumed by the water produced by the nitromethane decomposition. So it adds energy to the mixture.
Alright, the legal thing (see right-hand image). I thought that with my friends, who have a federal high explosive manufacturing license, we’d be all set. They have possession license and they have high explosive manufacturing. It turns out, we found right before we were supposed to do this project that it’s not just the feds who care about this shit, and you have to get a State Type 2 License as well. So were like “Oh fuck! Are we gonna be able to do this in time?”We just managed to get it done in time. So we were all legal and legit and we could do this stuff. The big thing that we needed at the end was to have a range where we could do this, because the state wants to inspect your manufacturing facility. And we said, well, you know, you understand what’s going on here, right? This is these two things, and wherever we mix them – that’s the manufacturing facility. Too bad, they want to know where you are going to do it.
So we ended up, very luckily, finding a local bomb squad that would let us use their range, so that was really nice. As a result of all of this stuff, my friends and I are actually forming a consulting group. So a little plug here – if you want to ever do this kind of work, then talk to me because we can now do it. Even though it’s kind of regulatory hell, being in regulatory hell is better than being in prison.
The stearic acid turns out to be a really important component of this explosive. And if you don’t get that amount right, it doesn’t work. So this is a test shot using pyro aluminum powder (watch video above). It’s stearic acid coated, but not that much stearic acid. Here’s a high-speed shot. And what you’ll see there is that the blasting cap just throws it around. That is a non-detonation, right? So that is a total fail.
When you get the stearic acid content approximately right, this is what it looks like (watch video above). So, I’m sure many of the people here already know this, but this is 101, so let’s talk a little bit about the Munroe effect (see right-hand image). That’s the official name of the effect when we say “Shaped Charge”. What it means is you have a groove, often conically shaped but it can’t be linear, for example like a cutting charge, in your high explosive. So when you put that with the groove facing the material you want to cut and you set it off, the cavity concentrates the shock wave and forms a kind of a jet. And you can actually line the cavity with copper or tantalum and form a liquid metal jet that will cut through whatever you are trying to cut through. Very-very useful technique. A lot of the anti-tank warheads and that kind of stuff uses it. So here are a few design tips for doing it (see left-hand image). What I was doing is I was layout out a cup to hold the FELIX in OpenSCAD. A few rules of thumb: apex angle should be 40º-90º – the narrower the angle the greater the penetration until your jet collapses and doesn’t work; you want to stand it off by about 2-3.5 cone diameters; and your explosion charge height should be a little bit more than the height of the cone. First of all, what I thought was, well, what about doing a linear shaped charge in the shape of a ring (see right-hand image), and putting that on top of the drive so that you cut through the platters? I designed this all so that it would fit within 1U. So there it is, viewed from the top, 3D printed; and viewed from the bottom.We can fit 60 grams of FELIX in this little container, and using a plastic cup there for the standoff. Don’t concern yourself too much at this stage with the containment, because I’ll work on that later. This (watch video below) is shot at normal speed and then just slowed down. Here’s another shot, same technique, same amount. You can see a bit of that drive exit stage right.
Here are the results (see right-hand image). Not as impressive as I’d hoped, unfortunately. The first thing you’ll notice is there’s a lot of unconsumed aluminum, so that stoichiometric mix was not correct. That was over-aluminized. Turns out, you know, you don’t need too much to sensitize the nitromethane. It stripped all of the platters off the spindle, which is pretty cool. And it has crushed the platters amongst themselves. So, you know, definitely it’s done some damage. Definitely it would be difficult to exploit information from this drive. And there is one place where the shaped charge has done its job and it has cut through, but that corresponds to where the cap was placed on that shot. So, basically, we’re doing the right with this charge, but we’re having a problem capping it, because the charge is not propagating around the ring the way that we want it to. So I thought about another idea. What about if we make our shaped charges radial (see left-hand image), coming out like that? Here’s another OpenSCAD model. And also, to try and stop everything from flying around – we found a lot of aluminum around the place with those shots – I made a lid for it as well, with a little hole to feed some detonation cord through. So there’s a 3D printed charge (see right-hand image). 100 grams of FELIX this time, a bigger physical thing. You can see the det cord that we’re using to set it off all around the place, 18 inches of 80 grain det cord (watch video below). Where did it go? This particular camera, by the way – that’s the close camera – it’s inside an ammo box with a 1-inch acrylic window on it. You can see it gets a good shake from the shockwave. Another one is from a GoPro 120fps, and you can see bits of that drive go in all directions, nothing very big. So we had to search a bit to find the pieces. This one (see left-hand image) is interesting because all of the surface-mount components have been ripped off the board. Here’s part of the platters (see right-hand image). Some more of the platters (see left-hand image below). And we’ve actually got some explosive welding happening here. That’s actually the top plate and the platters have been welded together. So, very nice. That made us think, well, let’s try and do some compression welding. Let’s actually just try and exploit that alone. This is just a straight-up det cord shot, a 100 grain det cord in that top one (see right-hand image). And then the double-sided version – doing some on each side to have the shockwave move from the outside in and compress everything together. I’m going to show you the single shot later on, because we did another interesting experiment with that at the same time. This is the double shot – that’s how we set it up (see right-hand image). So actually, the drive is not in frame anymore, but it didn’t move very far (watch video above). It was actually quite well-balanced. Here is a slowed down shot. You can see it just hop actually only a couple of feet, but it’s a sloped piece of land there, so it just drops down to where you can’t see it in that shot.There’s the drive that has still got the plates on it (see left-hand image). When we took that top plate off, you can see it did not strip the platters off the spindle like the FELIX shots did, but it did compress them together very nicely and explosively welded them (see right-hand image). You can’t see because they’re welded together, but you can see that the read head is welded to the top platter (see left-hand image).
This is the double shot (see right-hand image). It didn’t do nearly as much damage. I mean, okay, the single shot is 2.5 times the double shot in terms of total explosive weight. So this is 40% of the charge of the single shot. It did deform the platters quite nicely and made this really cool groove in them (see left-hand image). But we can see here that they were not welded together in any way, shape or form (see right-hand image). This is a Seagate drive, by the way. It just goes to show anything you do to a Seagate drive doesn’t work. But we do know that the charge that we need to use to compress the platters and weld them is between those two levels somewhere. So that told us something. Alright, moving on, the bomb squad said to us “Oh, by the way, we have hundreds of these oil well perforators that we want to get rid of. Would you like a few?” These are, like, downhole perforators (see right-hand image). So, you know, they drill the well and they stick a pipe down it, and then when it’s all done they put a pipe with these things on it to basically punch little holes through that pipe and through the concrete surrounding the pipe, and let the oil in so that they can suck it up, right? So they are designed to go through steel and a foot or so of concrete. To paraphrase Ghostbusters, if the bomb squad asks you if you want to be friends and share their stuff, you say yes.These are set off with det cords. They are full of a very fast high explosive, maybe HMX, and there’s just a little bit of foil at the top to let the shockwave through. And then you can see here the classic shaped charge. So you got your conical cavity lined with copper, and this particular one that I’m pointing to there has a standoff, so everything is right for it to cut through things.
Here’s the shot we did with two perforators pointing up (watch video above), just to get rid of them at the end of the day actually. But I want to draw your attention to a still frame from that (see right-hand image). You could never get this shot if you tried, like, a thousand times, at 30 frames per second, right? These are the jets from the perforators. That’s the blasting cap. The shockwave has gone through the det cord, set off the shaped charges, and it hasn’t had time yet to break through just the plastic shell of that det cord. This is a miracle still frame. Here’s how we set it up on the edge of the drive (see right-hand image) to see how much we can cut through. Here’s the shot (watch video above). There’s also a B camera shot. You can see a chunk of the drive go flying off top left. There you can see how it just, basically, cut straight through the cast aluminum casing (see left-hand image). Here are the platters (see right-hand image below). There’s all the bits we could find.Some of it went in the water. But wait a second, down the bottom right – what is that?! That is where the drive was sitting (see left-hand image). That’s a hole through the quarter-inch steel plate underneath the drive (see right-hand image). That’s the exit hole on the other side (see left-hand image below). That’s the hole it dug in the ground (see right-hand image below). And that’s the piece of wire we used to measure the hole: 15 inches after going through the drive and steel plate. Yikes!
So the bomb squad was interested in that. The next time they brought the smaller version of the oil well perforators (see left-hand image). Once again, a Seagate drive. You will remember these 1.5 terabyte Seagates if you do anything with disk drives, because this is when the Asian tsunami happened and quality control went through the floor because all the facilities weren’t working. And so every single one of these Seagate drives failed, if you look at the statistics.This time we are going to do two perforators coming in at 90 degree angles (see right-hand image) and see what kind of results we get there. And this time we’re lying the drive down. This time we brought the FS700 so that we could shoot at 960 fps (watch video below). You see a bunch of drive exiting to the top of the screen. You get more of an impression of that on the wide shot from the GoPro. So they’re out of the ballpark.
We actually didn’t find enough pieces of that drive to really draw too many conclusions about it. We found this much (see right-hand image), and you can see that the drive case just very nicely quartered like that. But we didn’t find the platters, so we had to do the shot again.We were all out of 1.5 terabyte Seagates, so we used this one (see left-hand image). I’m not removing a label from this drive, but I think I’m going to void its warranty anyway. And this time we put the steel plate on top to just try and keep the fragments to where we could find them (watch video below). The GoPro shot is nice of this one. Just a little graceful leisurely arc.
So there’s what we found of that drive in terms of the case (see left-hand image). It also did a really nice job going through to the center spindle. And there are the platters (see right-hand image). So we cut through the platters but not through the spindle itself. I feel like we could probably tune these shaped charges to go just through the hard disk and no further. So I feel good about shaped charges, but there’s one other charge I wanted to try, which is a diamond charge (see right-hand image). The EOD folks use these a lot for cutting. What you do is you create a flat high explosive and you cap it at both sides, and when you set it off the shockwave comes in from both sides, meets in the middle and turns 90 degrees. And you get a jet that comes out either side and cuts through whatever you want to cut through. And what I wanted to use for this was this stuff – it’s detasheet, it’s kind of like a high explosive ‘fruit roll-up’ (see left-hand image). I’ve used it before, and we had some, so I wanted to use this on the shoot. But it’s difficult to transport. You have to be placarded to transport this stuff based on the original packaging. No matter how much you actually have, it’s just what’s written on the packaging. So we had a small amount, but the package said it was a huge roll, like a kitchen roll. And so we couldn’t move it. We could get it but we couldn’t transport it. Instead, I 3D-printed again a container and filled it full of FELIX, and we capped it from both sides with det cord (see right-hand image). So here it is set up, 60 grams of FELIX, and there it is good to go on the drive. And on this shot (see left-hand image), the diamond charge is underneath the big steel plate, and we’re also getting rid of some surplus perforators under the big steel plate at the end of the day. That’s a half-inch steel plate. There’s, I think, three of the small perforators under there. You’ll need to know that for this video (watch below). That’s the big plate coming down. The heavy plate is not in that shot. But it is in another shot – once again, this was, I think, our last shot of the day. Wait for it. There’s the quarter-inch steel plate, and there is the half-inch one. The good thing is we didn’t need that anymore, because it was gone. There’s the drive (see right-hand image). It didn’t actually do too much, it just acted like a platter charge. You can see the edges of the diamond in it, didn’t cut it. Total failure. Anyway, it was interesting. I’d like to try that again with a detasheet, because I know that works. So, blast suppression (see left-hand image). We had fun blowing things up, but can we actually make this work inside equipment? So we’ve got to couple the blast to the drive, but we want to decouple it from our equipment. So we have the explosive against the drive and some kind of a damping material between the explosive and the equipment shell. What are we going to use to damp it with? It would be great if we could get some kind of a nice substance that was an alternating compressible and incompressible matrix, maybe like some kind of liquid and gas foam. It would be great if it was inexpensive and that we could actually inject it into the equipment when we wanted to so that we don’t have to have our equipment full of foam.Where could we get such a wonderful hi-tech magic thing? Shaving cream! We learned this from the explosive engineering instructors. They actually use this when they explosively punch out lock cylinders. They’ll put a big cupful of this stuff over the explosive and just punch out a cylinder, and the shaving cream damps the noise and the frag.
So, I said I’d return back to this shot (see right-hand image), the single 100-grain det cord shot, plus the shaving cream, inside a box. Let’s see how that did (watch video below).
You can see the A camera there to the left of the shot. So, alright, you know, this was a shot in which the drive was really shredded, and stuff definitely flies everywhere. But let’s take a look at some still frames from our two cameras on this shot.That on the top left is the first detonation frame of the shaving cream shot with the 100-grain det cord (see right-hand image). To the right of it is the first frame without the shaving cream from a charge that was 40% the size of the left one. So the left one is 2.5 times the explosive as the right. On the lower images, that’s it from the other camera. So if nothing else, we’re definitely damping the flame and heat pulse that’s coming out of that. That’s pretty interesting to me.
So we tried this again with a kind of a simulator of a 1U rack (see left-hand image). Here’s 75 grams of FELIX, it’s the annular shaped charge thing again. This is our 1U rack simulator, the steel plate with the angle pieces welded to it. Set up here, coated in shaving cream. And then with the other plate on top of it with a sandbag (see right-hand image). So we’re just kind of getting an idea about, you know, stuffing the 1U and what’s going to happen I personally think that’s pretty impressive (watch video above). Here’s the FS700 shot. Stuff goes flying, but markedly different from all those other undamped shots that we did.Here is the steel plate (see left-hand image). And yep, it made a dent in the steel plate. That’s where the drive was, and that’s the other side of the steel plate. So it’s dented, but totally non-perforated. On the other one, you can see it didn’t clear quite so well. We did actually unfold the angle iron and split it a little bit, but you can also see the drive imprinted on the plate there.
But the summary here, after damping stuff: with enough engineering effort, the high explosives just might fucking work.
I have to go really fast now with electric. There aren’t too many things in there (see right-hand image). The goal was, you know, we’ve got electricity already in the data center, so let’s do it. And especially I wanted to look at SSDs. Things I didn’t do: mass degaussing – boring to watch, I didn’t want to put you through that. EMP/microwave/RF attacks might have been fun to do, I may do that later. The first thing I wanted to do was exploding bridge wire, so here’s out sketchy capacitor bank and spark gap trigger (see left-hand image). This is how we challenged that with good old-fashioned vacuum tubes. And I could not find anyone that had SSDs that were broken that they would give to me, because they are just too new. I’m sorry, I love you all, but I’m too cheap to spend thousands of dollars on SSDs just to blow them up, so I’m just using flash drives. It’s very similar. The SSD looks the same inside, it’s just flash memory chips soldered onto the board. So I think we can draw some conclusions here. Here’s what happens when you dump a lot of high voltage through a wire (watch video above). Here’s a high-speed shot of that. Happens very-very quickly. So the first thing I wanted to do was just to physically couple that to a drive and see if we could just use the force of that explosion to destroy things. Another high-speed shot – you can see in the high-speed shot that it didn’t work. Nothing happened to that chip, although, when we look at it closely afterwards, the memory chip itself fared just fine but we did decap the microcontroller on the other side (see right-hand image). That’s actually blasted the parting material off the chip. But we cannot rely on this method.So what about if we have our drives in our data center and we are hooked to powering ground and we can deliver a large voltage spike when we want to produce a spark gap or something like that? So I soldered powering ground to these flash drives (see left-hand image). Here is the real-time (watch video below), nice shot.
High-speed – we can see in the high-speed shot that we really did some damage there. And there we can see that we blew the flash memory chip right off the board (see right-hand image). You can see all the internal leads from the chip. We broke the chip in half and decapped it. So, nice lot of damage to that.The one thing we don’t really know is how recoverable flash memory chips are when that’s happened to them and whether you can use microscopy techniques to get stuff back. But I’ll say it’s potentially feasible to destroy things quickly that way, at least to make it difficult to do a recovery effort on.
For regular drives, that’s an inductive deformation of a soda can (watch video above). So you can wrap a coil around something metal and you can do a shot through it and destroy the hell out of it. That’s 200fps. Here’s another shot of that. Obviously, there’s a big difference between a soda can and a hard disk. The other one is at 100,000fps, so you can see that this squeezes down very-very quickly. This is the other side. Basically, the whole time I’ve been talking over this slide, 10 milliseconds have not yet elapsed. So you can destroy things really quickly, and it would be really great to destroy disks that way, but the necessary power levels to do it with hard disks are currently unknown. Maybe we’ll do some real mad science later on.
So here’s the summary (see right-hand image), the most feasible methods in each category. The plasma cutter worked great in thermal. Oxygen injection, I think, could be feasible but may require complex injection. Kinetic – the nailguns were great. Damped high explosive was really fun, possibly failing the seismic part of the rules – oh well, who cares? Electric – high voltage power spike was good, but we don’t really know the forensics resistance of SSDs. Number of eyes lost – zero. Now, just before the goon drags me off stage here, I just want to say one more thing. Mobile solutions. We’ve been talking about data centers. But when they picked up Ross Ulbricht, the Dread Pirate Roberts, they basically mugged him in a public library. They grabbed him, they dragged him away from his laptop, it was unlocked and they harvested everything they needed to put him away for life for federal crimes. These days we can very easily, with commonly available open-source hardware, develop systems that are proximity connected to our computers using Bluetooth or whatever.So I just want you to consider this (watch video above). Thank you very much! And feel free to come and talk to me about all your ideas for doing this later on, and then maybe we will make another DEF CON talk about this stuff another time. Thank you!