3

After watching a Defcon talk about data destruction, I became interested in the subject of how I would go around remotely destroying all my data on all my systems.

I got to a point where I figured out how to arrange everything so a script would be executed by an SMS. The problem is that I don't know what the script should be.

Technical details:

  • All my servers run something Debian-ish (Mostly Ubuntu).
  • Not all of my systems are encrypted (This means that removing the encryption key is not something I can rely on).
  • I do not have physical access to all my servers.
  • I would like this to be able to stop highly motivated criminals (such as the United States Gov.)
  • I really don't want to use explosives.
  • I cannot establish a connection to the machines from anywhere. I am limited by an SMS (For the trigger, not the setup).

Is there something I can do for something like this?

Slava Knyazev
  • 716
  • 5
  • 12
  • Just to be clear; you've already figured out how to trigger a script on all your "systems" using an SMS; you only want to figure out what that script should contain? – Jedi Aug 08 '16 at 04:16
  • @Jedi Exactly that. – Slava Knyazev Aug 08 '16 at 05:05
  • You need to assume that since you don't have physical access to your servers the government would have no trouble getting at your data without you even knowing until it's too late. It's possible to resist government-level attackers but you have to build and maintain your all infrastructure yourself, from the phone lines to physical security. – André Borie Aug 08 '16 at 10:55
  • 1
    Nuke from orbit. It's the only way to be sure. – Aron Aug 08 '16 at 11:13

2 Answers2

2

It's simple: Encrypt all your systems

If you have hard disks, you can securely delete them by writing random data to every location. There might be some spare area that is used to replace defective sectors, but not that much and replaced sectors are defective anyways, so this should be secure enough for you. But for your scenario, this doesn't seem to be that adequate. If you have a 4TB disk, you'd need about 3,7 hours to overwrite it, assuming a constant 300MB/s rate. If you get the information the government is searching your home, do you think they'd wait a few hours to let you delete your data?

If you have SSDs, it's even worse. You cannot reliably delete them. SSDs have more storage than advertised to the system. They use this for overprovisioning to replace defective cells, as fast cache and for wear-leveling. There is no reliable way to delete all data. The SSD might look empty or filled with random data after you "cleaned" it, but someone reading the flash chips inside will still get parts of your data.

There are newer SSDs which can be securely deleted. They work by always encrypting all the data on the SSD. If you don't set a key, they just store the encryption key in plain. If you want to clear the data, this key is deleted, everything on the SSD turns into garbage.

So there is no solution but encryption for you. If you have new SSDs and trust the manufacturers, you can just wipe it with a command. Usually it is the secure erase command, but you have to make sure that your SSD really uses hardware encryption before, else it won't delete all data (or for some drives it doesn't actually delete any flash cells, just marks them empty in the controller).

The most secure way is to use your operating system encryption tools.

For your use case, you can configure the servers to automatically unlock the encrypted drives by storing the key in plain. You just need a way to securely delete this key fast. The most secure way would be to use a smartcard, but storing it on a HDD should also work. (NOT a SSD, unless you can securely erase the whole SSD)

Josef
  • 5,903
  • 25
  • 33
0

Because your trigger should be SMS, you must first set up a way to tell all those machines that you sent an SMS. One option could be to give them all a cellular modem, SIM and phone number, and then you just text every single one of them with the trigger word. That would be impossible given that you don't have physical access to them, not to mention it would be a pain to maintain.

The second solution would be to set up a single trusted machine with a modem somewhere in a safe location with good cellular signal, and have that machine SSH into your other servers and execute the erase commands once it receives the trigger word over cellular.

You should also take into account that the SMS sender ID can be spoofed, and SMS can be intercepted and modified in transit by the carrier or an attacker (either by compromising the carrier's infrastructure which is a disaster from what I've seen, or by making the modem downgrade to crap crypto and then cracking that crypto over the air). The minimum you should do is to have the trigger word be a random string that would function as a key and that string should never ever be sent before, so the carrier and attackers won't be able to know it in advance (for testing use a different key).

For the actual kill script that you need to run on the servers, you can either attempt to remount the root file system as read-only (very likely to fail since most running programs would have read-write file handles open), or have the servers reboot into an specific OS that would have the sole task of wiping the drives.

Depending on your OS, you'd need to create an initial ramdisk containing the required kernel modules to be able to write to the storage drives, as well as the actual binary that would wipe the disks and all the libraries it depends on. shred is a tool exactly designed for that - you give it the device node of your drive and it overwrites it three times with random data. Make sure the filesystem isn't mounted read-write though, otherwise buffered writes containing confidential data may be flushed back to the disk after it had been wiped.

Take a look at a similar answer.

André Borie
  • 12,706
  • 3
  • 39
  • 76