Physically Securing Information

CS 463/480 Lecture, Dr. Lawlor

If I have physical access to a computer, I can very rapidly permanently root it by:

Booting the computer from my own USB stick or DVD running reset tools (such as pogostick). Countermeasures: BIOS lock, USB ports desoldered or filled with epoxy (but then how do I do maintenance when a disk dies?).
Reading any data I want directly from the hard drive. Countermeasure: whole-disk encryption.
Adding software backdoors like secret network servers, kernel modules, etc. Countermeasures: filesystem and rootkit audits.
Adding hardware backdoors like a keylogger installed in the keyboard itself, re-flashed hard drive controller, or a black box attached to the ATM. (Snowden leaked the NSA catalog of hardware implants; you can buy the home versions from Hak5). Countermeasures: physical tampering audits, component x-rays.

There are some very powerful physical attacks possible, like replacing selected USB cables with an externally identical tiny radio-controlled USB keyboard, or chilling and pulling the DRAM modules to grab everything in RAM (a "cold boot attack"), or using a magnetic force microscope to recover overwritten blocks from magnetic disks.

Slowing down big dumb physical attackers

The classic big dumb attacks are:

Denial of service, by burning down or blowing up the entire building.
Intrusion by drilling, melting, burning through, or blowing up the door or locks protecting your data.

The classic countermeasures against big dumb attacks are adding big dumb materials:

Dirt is under $10/ton, but it's very low strength. Put dirt in bags or boxes, like the HESCO gabion units at US operating bases, and you can stop a truck bomb at very low cost.
Concrete is $100/ton delivered, but it's brittle and difficult to modify once cast. This can be an advantage, because quartz-heavy concrete is very slow to drill even with a diamond cutter, although a thermic lance can still melt through it.
Steel is $1000/ton or more, but it's much stronger, and can be welded and formed. The biggest downside of steel is it is heavy and difficult to shape cheaply. Another downside of steel is a jet of pure oxygen from a cutting torch can rapidly cut steel even several inches thick, so often a concrete layer is added to prevent thermal attacks.

These things often get combined: a safe is a steel box, but there's often a sheetrock inner liner for thermal resistance. A vault or bunker uses reinforced concrete, which includes steel rebar to gain some of the strength of steel, while maintaining a cost more like concrete.

You can also defeat big dumb attacks like drilling using reactive cleverness, like a sheet of tempered glass designed to break when you drill it, that permanently "relocks" the safe's bolts. Modern "explosive reactive armor" or "active countermeasures" on tanks defeats explosive warheads by ... exploding them. Having a really big facility, several miles across, helps to dissipate blast and keep attackers from escaping with your loot, although it also increases the perimeter you need to defend.

Classic blended attack example: "The Score (2001)", where the attacker (Robert de Niro) sneaks into a secure room, uses an oxygen lance to slowly burn a small hole in a safe, fills it with water (an impressible fluid), and detonates a small explosive charge that detaches the whole door, including the glass relockers. Mythbusters tried this, and the explosive part worked great, but lancing the safe wall torched everything inside the safe (not so good for computer parts or cash), and the safe is designed to not hold water.

The nice part about big dumb attacks is they're obvious--you're not going to keep using the server if it's been torched or blasted open.

Detecting slow sneaky physical attackers

Slow sneaky attackers are a much harder problem, because you might not even realize they've been there. This means you might keep using the compromised private key without revoking it, continue to provide attackers with financial data, etc.

Ninjas. "Mission: Impossible (1996)", the attacker (Tom Cruise) makes it into a secure machine room with a pressure-sensitive floor by rappelling down from an air vent. (Countermeasure: air vents are 6" across, and have lasers.)
Lock picking ranges from laughably easy to incredibly difficult, depending on the lock. The theory behind a pin-tumbler lock is the key operates like a secret key, raising each pin tumbler by the amount it needs in order for the cylinder to turn. A lock snap gun or bump key can defeat some locks by momentarily pushing the tumblers up out of the cylinder. In 2004, it was revealed many round bicycle locks could be opened with a pen tube.
Insider attacks, like the sysadmin who has decided he disagrees with what your organization is doing, and is going to leak everything you have, or sell it to the highest bidder.
It's usually the stuff you don't think about, like the under the door tool.

Countermeasures are primarily detection:

Alarm systems are designed to allow rapid active response to an intrusion, which is great, but they need to be able to reliably detect intrusions, which is hard in general--a door opening sensor is easy and can be made reliable, but what if they didn't use the door? Video is great if somebody's watching it, which is very difficult in the long run. Mythbusters has done several tests of detection systems (video, thermal IR, ultrasonic motion sensor, laser beam break), and there are countermeasures for nearly everything.
Highly trained, well armed and armored guards on random patrols with reliable realtime radio communication and lifesign telemetry to a secure central command center works great. But it's overkill for most datacenters.
Tamper-resistant seals, like glitter nail polish [Michaud and Lackey, 2013]: you paint the server's screws with glitter nail polish, and photograph the random orientation of glitter flakes. The downside is this is purely reactive security: your data is already gone.