[Complete] Paranoid NAS Part 2: Mercury Kill switch (Get crackin' challenge)

@Atomic_Charge @gearheadgirl27

This project is a follow up to the last of @Atomic_Charge 's challenges where I put on my tin foil hat and put together an ultra paranoid encrypted NAS.

For this project I'm building a physical kill switch/intrusion detection system which will shut down or reset the NAS if it is tampered with. If paranoid mode is enabled this will cause it to lock the disks so that an attacker can't access the data, if paranoid mode is disabled the system can be brought back online and the disks unlocked automatically.

Yes I know this is a terrible idea, I know that if there's one thing worse than full disk encryption for unrecoverable data loss it's full disk encryption with sudden power loss. Shhh.

So the plan is to have a mercury switch that will detect movement of the case, and a micro switch which will detect when the side panel is removed. There will also be a hidden arm/disarm switch, because otherwise it's going to be a total pain in the arse. Now I know a little bit about electronics, but not a whole lot, so I'm not going to build this in to the power supply which would be a much more reliable option. Instead I'm going to connect it to either the power or reset switch connectors on the motherboard, as either way it will trigger a lock down of the disks if the system is in paranoid mode (for anyone unfamiliar with the previous project, when in paranoid mode the servers will ping each other every minute to see if they're still connected and lock the disks if they're not, so a reset or shutdown will trigger that).

Thanks a lot to @Th3Z0ne for helping me out with the plan, and thanks for this helpful diagram:

IMG_20160704_053554.jpg768x1024 100 KB

Initial testing

I'm still waiting on some of the parts to come from china, all I have so far are the relays, some wire, and a micro switch I stole from work. So for now I've just thrown something together to see how it will work and refine the plan.

For testing I have the vibration sensor connected to the relay board and that's powered off the 5V pins from a molex connector. This is enough to see how the vibration sensor will work. In the completed version the mercury switch (I'll explain why the vibration sensor is crap in a minute) and micro switch will be connected to the relay, the arm/disarm switch will be on the power side and the other side of the relay will connect to the motherboard power/reset pins.

The vibration sensor test revealed that the vibration sensor will not work. There are two problems; the first is that the sensor triggers too quickly, it might even be too quick that it won't register, so for it to work it would probably need a delay added as well. But the bigger problem is that when there is no movement the sensor will either be in an on or off state, as in what state it's in at rest is different every time. This makes it unusable for this project.

Here's a video which shows the problem:

I'm going to have to wait for more parts to arrive before I can continue with this project, or even further testing as it's nowhere near something I feel comfortable actually connecting to my server. Hopefully they get here in the next few days and I can complete this project before the end of the month. But for now we'll consider it a work in progress.

It's been a while but I finally got the kill switch complete, or the first one at least.

The wiring is pretty dodgy but whatever, it does the job. For the second one I might look at getting a board made or something (no idea how that works).

The relay isn't really necessary as I could just wire the switches directly to the power switch header on the motherboard, but I decided to keep it for the LEDs that indicate when it's powered on. That makes it easier to tell if it's active or not. I also really like the noise it makes.

The system is powered from the 5V on a molex plug and the arm/disarm switch simply cuts power to the relay. All the other switches (mercury and micro switch) are wired in parallel and if any is triggered it will cause the relay to close the mother board power switch header causing the system to shutdown.

Here's a video demonstration it, the quality is pretty awful as I was just using my phone and a desk light.

How useful is it? I'm not really sure. The paranoid mode script already locks the disks if the system is removed from the network, so even if the system, were hooked up to a battery so it could be removed without losing the keys in memory the script would lock the disks anyway. But it's a fool proof (ish) fail safe for it the scripts fail for some reason. Also mercury switches cool.

If you tell me what parts you finally will use, I might be able to make a new schematic that fits the given hardware better.

The one you got from me, was a quick doodle without actually taking into account weather the switches, and sensors are opener or closer, or if they need power themselves ...

Just page me if ya need any assistance =)

I'm thinking of wiring up three or four mercury switches in parallel to pick up tilt in several directions. The relay came with the vibration sensor which I was hoping would work differently, but that's okay. I'll probably keep using the relay board anyway because it will be nice to have the lights so I can tell if it's armed or not.

lmao

That's a really interesting idea though.

I'm sure that bottling machine didn't need ALL those switches :P

The fact that it's kind of broken is entirely unrelated >_>

Do you watch MR. ROBOT?
During last weeks episode the FBI were seizing someone's server and when they unplugged it, the PC caught fire. I am not suggesting that level of paranoia but the FBI agent that knew what's up asked "Have you checked if any of the ports have been modified?" right before it blew up.

Maybe in addition to the micro-switches and mercury switches, you can add something to detect if your NAS is unplugged or if anything un-secure is plugged into USB or Ethernet. I don't know how, but you probably already thought of that.

Maybe a battery backup UPS inside the case where when it is unplugged, the USB to the UPS triggers an encrypted shut down?

You know bout the Nuke passphrase? Introduced in Kali linux v1.0.6. Might be nice to implant it too. Before the full reset it first flushes its keys. So even if they find a way to stop the process they still will have a hard time because the encryption-keys are gone already.

Also i really like the idea...
Stealing from work! I think i going to implant that too in my life.

Spoilers!

Just kidding, no I haven't seen it yet, been meaning to get around to it. There was a video from one of the hacker conventions where they tried to build a server with built in thermite or high explosives. But I don't think it worked as well as you'd expect.

But that's probably taking things a little too far anyway.

If you haven't seen the previous project then check it out, but in that I set it up so that if it's removed from the network it will lock the disks and the keys (on the remote key server) are encrypted. I like the idea about detecting unauthorised usb devices though, I might have to implement that.

I'll have to have a look at that. When you say flush the keys do you mean it flushes them from memory or it scrambles them making the disks unrecoverable?

wipe the key. making it unable to use your paraphrase to decryt the disk
https://www.kali.org/tutorials/nuke-kali-linux-luks/
Entire tutorial with another paranoid idea.

Cool I'll have a read later. In my configuration I don't use a passports, it uses a bunch of 4kb random key files which are stored on a VPS. When the disks lock the key files are encrypted so if an attacker only has access to the NAS they're not going to recover the key files. But I see your point, having a way of removing the keys from luks so the disks can't be opened would be cool. But something I'd probably want to do manually and not leave it up to some script which may trigger accidentally.

Nuke Paraphrase gets trigger by the same way you would unlock it but then with different key. Its just same script as decrypt but instead if that is just removes the working masterkeys that u would use from the VPS. Those would be useless then. Unless you repair the header file(if you backup that).

Sounds interesting, I'll check it out

Ah I see what you mean now, that is an excellent idea. I'm going to see if I can integrate that in to my scripts. Thanks for that. This will be especially useful if it can be done to mounted disks causing them to become unreadable. Not sure if that will work but if it does it would solve one of the problems I have with reliably locking the disksm

I bet with all your 70,000 terrabytes of mega-super-ultra-paranoid encrypted data all your defending is a single .mp4 of Rick Astley haha

I use the rick astley video as the keyfile, so if I'm ever forced to give it up (lol) they will think I'm trolling them.

I mean sure they'll break my legs, but it'll be worth it.

The mercury switches finally arrived today, still waiting on a couple more pieces. I've assembled four of them on a piece of cardboard, a small amount of tilt in any direction should trigger them. Once the glue dries and I wire them up i'll give them a test

But therm8te is so so simple to make...
An electric ignition system should not be too difficult to implement...

But not as easy to contain - from todays view its saver - and as effective to destruct the encryption key - than to light up you whole home. Also igniting termite in your home can be a felony because you start a fire intentionally to cause destruction and potentially death.