Physically Securing Information

CS 463/480 Lecture, Dr. Lawlor

If I have physical access to a computer, I can very rapidly permanently root it by:
  1. Booting the computer from my own USB stick or DVD running reset tools (such as pogostick).  Countermeasures: BIOS lock, USB ports desoldered or filled with epoxy (but then how do I do maintenance when a disk dies?). 
  2. Reading any data I want directly from the hard drive.  Countermeasure: whole-disk encryption.
  3. Adding software backdoors like secret network servers, kernel modules, etc.  Countermeasures: filesystem and rootkit audits.
  4. Adding hardware backdoors like a keylogger installed in the keyboard itself, re-flashed hard drive controller, or a black box attached to the ATM.  (Snowden leaked the NSA catalog of hardware implants.)  Countermeasures: physical tampering audits, component x-rays.
There are some very powerful physical attacks possible, like replacing selected USB cables with an externally identical tiny radio-controlled USB keyboard, or chilling and pulling the DRAM modules to grab everything in RAM (a "cold boot attack"), or using a magnetic force microscope to recover overwritten blocks from magnetic disks

Slowing down big dumb physical attackers

The classic big dumb attacks are:
The classic countermeasures against big dumb attacks are adding big dumb materials:
These things often get combined: a safe is a steel box, but there's often a sheetrock inner liner for thermal resistance.  A vault or bunker uses reinforced concrete, which includes steel rebar to gain some of the strength of steel, while maintaining a cost more like concrete.
You can also defeat big dumb attacks like drilling using reactive cleverness, like a sheet of tempered glass designed to break when you drill it, that permanently "relocks" the safe's bolts.  Modern "explosive reactive armor" or "active countermeasures" on tanks defeats explosive warheads by ... exploding them.  Having a really big facility, several miles across, helps to dissipate blast and keep attackers from escaping with your loot, although it also increases the perimeter you need to defend.

Classic blended attack example: "The Score (2001)", where the attacker (Robert de Niro) sneaks into a secure room, uses an oxygen lance to slowly burn a small hole in a safe, fills it with water (an impressible fluid), and detonates a small explosive charge that detaches the whole door, including the glass relockers.  Mythbusters tried this, and the explosive part worked great, but lancing the safe wall torched everything inside the safe (not so good for computer parts or cash), and the safe is designed to not hold water.

The nice part about big dumb attacks is they're obvious--you're not going to keep using the server if it's been torched or blasted open.

Detecting slow sneaky physical attackers

Slow sneaky attackers are a much harder problem, because you might not even realize they've been there.  This means you might keep using the compromised private key without revoking it, continue to provide attackers with financial data, etc.
Countermeasures are primarily detection: