 Welcome to the next talk. I guess you all know the problem that sometimes you need to protect some data. And you have different possibilities. You can have a person with a gun, you can have a vault, or you can have a hardware security module. Hardware security module has the benefit you don't need a gun, you don't need a vault. But you need to have a computer that is protected in a specific way. And that can maybe throw away some keys in case of emergency. Thing is, they are ridiculously expensive and made out of unobtainment. Jasek from the University of Darmstadt is tinkering with hardware security modules and working on them for quite some time, starting as a private project. And now he's a PhD and doing it at the uni and is going to talk about it. And somehow, at some point, he's going to release it as open source into the wild. So a warm welcome to Jasek and have fun with the talk. Thank you. Thank you for the kind introduction. I have to correct you on one thing. I'm not yet a PhD. I'm a PhD student. So I've managed to convince people to actually fund this kind of research, which is kind of awesome. So thanks to the University of Darmstadt and the Emergency Center, where we do research on emergency situations, where we are considering users of this for rebuilding infrastructure in a crisis. Yeah, so I hope it's OK for everybody if we do the talk in English. I'm also a native German speaker. If you have questions afterwards, you can definitely ask those in German as well. But the announcement was in English, so we're going to go ahead with English. Yeah, let's get started. To me, my nickname is Jasek. I'm mostly a hardware person, but I also do a bunch of firmware and software work. This is a project that has started as a hobby project for me a couple of years back. And that has now kind of grown into my job. So what is a hardware security module? Some of you might also already know the term. But a hardware security module is basically a computer that has a temper protection mechanism built in. The idea is that the computer is constantly monitoring this temper protection mechanism for to detect any attempt to physically temper with a machine. A hardware security module doesn't say anything about the logical programming of the computer, it can still have software bugs. And in fact, in practice, that has actually happened. But hardware security modules only describes the physical layer. And this temper protection mechanism is made in such a way that it's like when it detects a temper, the logical content of the computer is destroyed. That can mean deletion of the entire memory contents in some devices. That can also mean that the crypto keys for memory encryption are erased. Hardware security modules are in contrast to something like a trusted platform module or a smart card in that they are powered at all times. So something like a TPM or a smart card is like a special microchip that is built in a way that it's very hard to read out the protected data stored into it, inside it permanently. But they are made in a way that they provide this protection while unpowered. And they provide this protection while basically being too tiny to easily manipulate under a microscope. Hardware security modules are much larger but are always powered and use actively use electricity from a battery in order to do this temper sensing. So for example, you could imagine a hardware security module being a camera in a box that is cladded with mirrors on the inside. That would also be a hardware security module if you provide image recognition algorithms to it. Most hardware security modules that you see in practice use temper sensing membranes. A temper sensing membrane is basically a maze-like circuit board trace, usually multiple of those, on some sort of plastic foil. The way they're usually manufactured is kind of similar to how these, I don't know if you've ever taken part of one of these shitty freebie keywords that you get when you buy a new computer. They have this plastic foil inside that's coated with a silver paint. And temper sensing membranes and commercial hardware security modules work like that because the idea is that when you try to rip it apart, you tear the conductive traces of this plastic foil. And then that will be detected by the circuit inside. And the temper event is then detected. The alarm is raised and the data is deleted. Most hardware security modules also, in contrast to something like a TPN, contain multiple temper sensors. So they almost always have something like a temper sensing membrane. But they also usually have temperature sensors, or light sensors, or even radiation sensors in some cases to kind of try to detect when you try to fool with it by physical means like cooling it down in order to do a cold boot attack, for example. The history of these things is kind of, well, interesting in that the first reference I could find to actual hardware security modules that is outside of imaginative fiction is from the 1940s. During the Second World War, apparently some people at the NSA had the idea of building active temper protection into devices. It didn't take hold at that time, though. I'm mostly referencing this from a lecture series by some NSA dude, which is absolutely amazing, which has a bunch of neat anecdotes about crypto technology in the NSA. And according to him, basically back then, until the 70s or something, the state of the art in hardware security was still you literally took a computer and put it like a computer, like a crypto machine, so like a purpose-built electric device, and put it in a safe. This is what that looked like. And so in the 1980s and 1990s, you start to see what we nowadays call a hardware security module, like Tampa membrane kind of wrapped around a thing, everything potted in some sort of epoxide resin. You start to see those in the 80s and 90s and 80ms first. In 80ms, the pinpads are oftentimes built like that, but also they oftentimes have another one somewhere further down in the machine to protect symmetric cryptographic keys. Then in the late 90s and 2000s, you start seeing this technology in more consumer applications, in point of sale terminals specifically. These things have gotten rolled out. Today, if you ever pay at a supermarket cash register with a credit card or EC card in Germany, these devices that say like TALIS or Gerniko or something on them, they contain hardware security modules. So they always contain a small battery, and if that battery is taken out, the thing basically is braked forever. But until the late 2000s, they were really limited to that. They also used some data center specialty data center applications. The main use case I'm aware of there is to encrypt credit card numbers, because obviously, in the age of modern cryptography, that's the thing you have to do in payment processing applications. So we have this rack mount 1HU thing with this magic hardware security module inside that you send your plain text credit card numbers to. It encrypts it, and then you write the encrypted ciphertext back into your database for security reasons. And basically what I'm trying to do is I'm trying to get this technology to the next stage of evolution. I want to see hardware security model attack in normal people's hands in your local hackerspace. Now, why would you want this? Why would you want hardware security module in the first place? Basically, the way I see them, a hardware security module allows you to do stuff that you would usually want to do with cryptography, with techniques like private set intersection, multi-party computation, homomorphic encryption. A hardware security module allows you to do a bunch of this stuff that you would do with these cryptographic techniques like 20 years before the cryptographers have figured out how to actually do it securely. So basically, a hardware security module, unless it's useful like pure key management, is a stopgap measure that you can use while the actual cryptographic techniques are still being figured out by people who know about that stuff. Traditional hardware security modules offer key management APIs. So they usually don't do too much. They can do sharing of a key between multiple of them. They can do encryption, signing of stuff. And the basic idea is you have the thing generate a key similar to a smart card that never leaves the device. But my observation is if you build it yourself, you don't need that API. You can just run your entire application on that thing. The manufacturers of these hardware security modules right now don't do that because their hardware security modules are kind of too slow for that. And also, I think because I kind of like having proprietary APIs around them. But in the future, I don't see why you wouldn't run like your entire ISC server inside one of these things or your entire mail server or your entire matrix instance. You can just tunnel via SSL right into the thing from your laptop. And then as long as this hardware security module holds up and as long as the software doesn't have software flaws, you can be pretty sure that nobody was able to tamper with the data on the device or read the data on the device. Now, why don't you just go out and buy one of them? Well, basically, here's a slide of disadvantages of traditional technology. The state of the art in this field, in my opinion, this is not my employer's opinion or anything, just my personal opinion, this field is like a prime example of what happens when, yeah, basically a bunch of companies get very happy with the way they're receiving lots of money for basically doing no innovation at all. Like the state of the art in this stuff hasn't really changed in the last 20 years or something. First problem with the current ones is like they're way too slow. They're like literally today you go out and buy one of them and you get something like a smartphone processor from 10 years ago in a box. So you can do key management with them and they can do like 20,000 elliptic curve like D.V. Elman key exchanges per second or whatever, but they can't run like, I don't know, a Postgres database. Second problem is if you go out and buy one, you don't get root on that thing. You get like some obscure vendor API and if you're lucky you get a hopefully watertight implementation of some PKCS APIs, but you don't get like a Linux shell, right? Which just means that it raises the barrier of entry. You have to like custom tailor your software for these things. Another disadvantage is they're like super proprietary. Like if you actually want to go through all that to all that effort in order to like custom tailor your software for them, you have to get proprietary STA in order to get that. You have to sign an NDA and also probably they wouldn't even talk to you. Like who are you, right? Like how much revenue do you process per year on your hardware security model in order for them to care about you? Like their customers are really operators of like large payment infrastructure. Yeah, and the final and in my opinion, the biggest disadvantage of them is they're like super expensive. Like new as far as I know, one of them costs like something north of 20,000 euros. Like if you think about them that you actually put inside a server and also as a normal customer, like as a normal person, you can't even buy them. Like probably because this market is not a market aimed towards normal people. And if you go on eBay, you don't exactly find them very often decommissioned. Like you sometimes find some, but even then they're like hundreds of euros for some device that you don't know if it will ever work again. And it's like there is no real second-hand market for them. Caviar to that, like technically you can go to Amazon and like they have like, and I think Microsoft too, they have like cloud offerings where you can like rent computing time under a hardware security module. But like in my opinion, it's kind of, I don't know, dumb. Because if you trust the cloud provider anyway, like why should you like, I don't know, why do you need a hardware security module then? I don't get it, but yeah, you could try to do that. Probably if you wanna like try to test out API compatibility or something. Yeah, but like in light of these disadvantages, well, if you can't buy it, why not make your own? So I think the main difficulty in building a hardware security module, like if you go to your hackers place and say, okay, I wanna build a hardware security module, I have this Raspberry Pi, I wanna make it super secure. I think the most difficult part about this technology is the security barrier. Like the entire rest of it, like the management software and all of it, I think that's all kind of solvable fairly easily on a hobbyist budget, but the security barrier is really where it's at. Basically to prevent attacks where you bridge out or probe traces of the security barrier, you need like very fine features. So like these tamper detection foils that are these tamper detection membranes that are used in commercial devices, they use like really fine feature sizes. So if you try to like, don't know, print a tamper detection membrane on like, I don't know, an inkjet print, like print a photo positive on an inkjet printer and like etch it or something, you would have a really hard time getting down to sizes where somebody with a steady hand and a microscope actually can't bridge a trace anymore. Also in order to prevent the thing from being disassembled, like commercial devices are usually potted in epoxide resin, but also they're like made out of these special plastic foils that have like metal traces on them that like delaminate. They like tear off if you try to like, actually crack apart the epoxide resin. In order to make something like that yourself, you basically need to like engineer like some circuit board technology, like basically that is fragile, right? And that's a problem because like if you go out and like look up how do I make a circuit board myself or you go out and like buy circuit boards from China or from some local manufacturer, they're engineered to be robust, right? So like they're like at the exact opposite end of the spectrum of what you need for a tamper detection membrane in a hardware security module. So basically this means like this tamper detection membrane is like the number one challenge you have if you want to build one with yourself because you would have to develop something like a printed circuit board manufacturing process from scratch yourself, which I think is a lot of work and also probably requires a bunch of chemicals and equipment that aren't really like advisable to like a hobbyist hacker at a hacker space maybe, like simply because of like health and safety concerns. So what I want to introduce is the inertial hardware security module. It's kind of a way of not solving these issues but sidestepping them. So the co-observation that this is based on is that well you can't tamper with what you can't touch. The idea is that we create a secure tamper protection barrier from cheap PCBs that we order from like any of the PCB manufacturers. The issue with these cheap PCBs that they're gonna be a super shitty tamper protection barrier because you can just like scratch up the solder mask, you can wire like solder a wire to it, you can bridge it and then you can drill right through it or like completely like break it apart and nobody like the thing isn't gonna notice because it's bridged out. So in order to prevent somebody from doing that, we just spin it, right? So we envelope our payload, Raspberry Pi, whatever we wanna protect inside a cage of these printer circuit boards with these tamper detections quickly mesh traces on them and then we spin that really fast. And by spinning it really fast, it basically means well if you wanna temper with it, you either have to spin yourself, which is unhealthy. If we make it spin fast enough, think washing machine speeds or you have to stop it. In order to detect that, we simply put an accelerometer on it. So like a small chip that detects when it gets like the detects the centrifugal acceleration and as soon as that detects that the centrifugal acceleration is gone, it raises the alarm. So basically by doing that we have like a thing that if you stop it spinning, the alarm is raised and if you try to temper with it while it's spinning, like you basically are gonna raise the alarm anyway because you're gonna just break it. So yeah, what do you need to actually build that? Well, first issue is you have to, well mechanical design and all of that is like kind of, you just use like a cat package of your choice, you use a key card or whatever for the PCBs that's all solved kind of. One issue I had to solve is like to create these temper protection membrane traces. So this is a picture of like the actual finished prototype that shows these traces on the PCB. But you wouldn't wanna like do that by hand in key card, it would just suck, would be very bad, like very poor way to waste a weekend. So I built a plug in for key card that you can basically use to generate these traces automatically. It works by taking the shape of your board shown in like this dark, well this bright yellow color here on the projector. It overlays it with like grid. I just used like a rectangular grid but you could probably adapt it to use like some other tilings of a 2D plane. And then figures out which grid cells are actually contained inside the surrounding shape. And then it does like a depth first walk of the, like a random walk of the entire remaining part of the grid. After doing that walk, you basically get a tree like kind of structure that is spanning the entire grid, like cell by cell. And what it then does is like basically like it's unrolling a roll of tape. It walks around the edges of that tree, which you can see in the fifth picture and the sixth one is like what you get in the end. Yeah, and if you repeat that for like an entire board you get something that looks like this when you're done with it. So in this case, this is by the way two traces that are like interleaved in that way. So this is like two electrically independent traces that are looped around the PCB in the basically worst way possible. So they cover as much area as possible. So anywhere you like cut or drill into that, you're gonna interrupt one of these traces. The key of this process is you don't have to do like too much computer geometry to get it working because in the end there's only like 15 possible tiles that you get at the end of the process. Like you look at which sides of my grid tile in my tree are connected to an adjacent tile. And then you look at like basically look up table with these shapes that tells you how you need to like connect up the two traces in order to like match that connection pattern of the tiles. And by puzzling together these shapes for an entire PCB then get the like two continuous lines. Yeah, you can generate these like this is an illustration of what happens if you take like a irregular shape and you do like different levels of randomization when you generate that like tree structure of these mesh of these tiles. On the left you see like what happens if you just always choose like the left option. Like you always go to the left unless you end up in a dead end and then you like walk back until you find a free tile again. And then like to the right towards the right I like increase the amount of randomness. It's just it's not super technically useful but it looks pretty. Yeah, so this is the result of like the number one prototype. This is the disassembled form of just the printed circuit boards. The main cage is built out of printed circuit boards in that case. Can you see my mouse pointer? If I do that. No, it seems you can't. Okay. Oh yeah, no you can't really. Okay, I'm going to point at it with my like thing I learned. So this is the interior part. This is what you mount a Raspberry Pi to that is going to be protected. And this part sits in the middle of this thing. This is the exterior part. This part on the bottom PCB and on the top PCB and on these vertical ones contains these squiggly security mesh traces that are continuously monitored for like that they're still connected. And the second PCB here contains a microcontroller and the accelerometer and the microcontroller basically continuously reads out the accelerometer and also monitors the continuity of these mesh traces. Power supply in this case like in this prototype is done by literally just a solar panel glued to it from the bottom and then like there's a light bulb next to it that illuminates the solar panel and that gives enough like even though the thing is spinning very fast, it gives it enough power to like run the microcontroller. Data communication in this prototype is done with a bunch of photo diodes. They're not actually part of the circuit here because that's what these prototyping areas are for. It's a prototype, I just like clutch them together but it's like, it's not magic. Like you just use like two photo, like a photo diode and IR LED to get like bi-directional data communication and if it's rotating or not, doesn't matter. Like it's just not a coupler. Yeah, the fully assembled one looks like this. Note that here there's vertical PCBs that you saw before, the thin ones. These ones are missing so I don't chop up my fingers trying to like work on it. But here you have like the bottom part in the previous picture here. This is the top part and in the middle you have like a Raspberry Pi motor controller and a bunch of other stuff like power supply basically. And yeah, this actually like was working on my desk. So like the outer part rotates, the Raspberry Pi stays stationary. Motor is like sitting on the bottom here. It's like a small gimbal motor meant for drones. You can buy them on AliExpress for like really not a lot of money. Gimbal motors have like a hollow shaft so you can like stick like an axis through it that is stationary even though the motor is spinning which is kind of neat. You don't really need that. I could use like two ball bearings instead but like this way is easiest and I like shopping on AliExpress so that's the way I went. Yeah, the axis in the middle is like just brass rod I bought at a hardware store. That axis is where the power and data goes through from the outside. So right now there's like a one of these super thin cut six cables running through that on one end and the other end there's like just the thick wire going through it for like 12 volts or whatever for the power supply. Yeah, and that's basically a like loosely speaking functional system. It shakes a lot due to the construction because it's like not really weighted properly but this is what a DIY HSM, a basic one looks like. Yeah, so here you have all the parts you need. You have like the tamper protection barrier in form of like the security mesh made out of printer circle board materials which you can either literally add yourself in if your hacker space has a proper like chemical setup if it doesn't, you can also just order them online at a supplier of your choice, that totally works. It has space enough for like in this case one or two Raspberry Pis in the middle. I'm currently planning on like doing one where you can fit a laptop mainboard inside but like it's basically enough space to get a useful amount of computation. You don't really have to worry about cooling because since the entire thing is spinning anyway you just put a fan next to it kind of like that. Like not kidding, that's an actual technological advantage compared to like basically in all previous technologies you always needed this tamper protection envelope to be like continuous, right? Well with this technology it can have gaps. If you angle the tamper protection mesh correctly you can even make it a fan. Like yeah, so I imagine if you scale this up like it should be possible to scale that up until like basically it spins as fast as a washing machine so imagine like you could scale that up to the size of probably like an ATX mainboard and in that case you could put like an entire server inside and basically you blow out, blow existing hardware security modules out of the water in terms of computing power by a factor of like a hundred or something. Yeah, to do, yeah anyway. But the communication between like the Raspberry Pi and the tamper protection circuit and this prototype works via a simple UART so there's no magic there. The main question that is yet to be solved from like a actually hard problem standpoint in this one is we still need like a way to reliably quickly erase the memory contents of the payload device or at least the ones that we want erased in case of a tamper alarm. So this sounds easy but it's like not actually easy. Like in case of traditional hardware security modules they usually don't have much memory. They have like a couple of kilobytes of SRAM and they just remove the power to it and that's how they're deleted. We can't do that here because our Raspberry Pi has like gigabytes of DRAM and also Raspberry Pi's don't have like memory encryption. So basically what we need to do in order to make this useful is we have to have a program running on the Raspberry Pi at high privileges that will continuously monitor like the communication with the rotor part of it with the tamper protection system. And as soon as that communication drops off or as soon as it notices power going unstable or as soon as an alarm is raised by the tamper protection thing it has to actively delete memory, right? I haven't actually benchmarked like how much memory you can delete on a Raspberry Pi before like the capacitors on it run out but I think most likely you will have like in this thing you will most likely have to like do some prioritization. You're gonna be able to erase like a bunch of kilobytes of cryptographic keys easily but if you wanna erase like the entire DRAM contents you're probably not gonna have enough time to do that before a determined attacker would be able to like take apart the device and like attach some JTAC probe to it or whatever. Yeah, future work for me is I wanna make these things open source and accessible to anyone with a basic mechanical and electronics workshop. The reason for open source is like I see this technology as something for like well us as regular hackers, right? Large companies don't need that. Large companies just pay somebody with an obscene amount to provide them with like a secure data center. If they're like illicit they pay somebody to run a secure data center somewhere in a bunker at the Mosella River. Like large companies or like criminal organizations don't need this technology. This technology basically we as regular hackers need because we can't afford a proper solution. We need like this solution because well it's the one that's affordable to us because we can build it ourselves. Yeah, workshop wise my goal for this is that you basically need a bunch of like screwdrivers as well but not like anything super fancy like especially you don't need to actually PCBs yourself. Like you don't lose security if you just contract that out to somebody else. I think auto of magnitude wise for something like a Raspberry Pi I'm targeting like a couple hundred euros of budget for a system like that. Sounds expensive for a hobbyist system but for a hobbyist budget but consider this thing is spinning at a thousand RPM you want it to be kind of solid because that gets scary fast. Yeah. Before we do a Q&A one question to the audience if anybody here works at or knows anybody at framework like the laptop company, let's talk. I kind of want one of their mainboards for an X prototype. Here as inspiration is a design for like a server sized hardware security module. Same basic principle spinning printed circuit boards with the security mesh. The big thing in the top is like an enclosure for the infrared communication link and then like just a regular micro ATX server mainboard in the middle. So this is what one of them could look like if you actually build it full scale. I think this is like five HU. Yeah, we might actually build that at some point in the future. Q&A and while we do Q&A I'm gonna show up the resources here. I've got a couple of like this is the Git repo with the code for this paper presentation also for this prototype of built and he has a bunch of like sources which I can actually recommend because they're fun to read. So feel free to look at it. Yeah. You know, you still have 15 minutes. No, you have 30 minutes left. Fast talker. So, the microphone too. Hey, two things. First regarding clearing the RAM. Do you really need to clear all of it? I don't think so. You are in control of what's on the Raspberry Pi so you can decide where to put sensitive stuff and only clear that, right? You don't really need to clear everything. That is correct. So I think like recently in the Linux kernel there landed a change where I can actually tell the kernel that certain memory regions contain like cryptographic keys and are sensitive. It's not meant for like that these are prioritized for like anything like RAM clearing but I think it means that it won't swap them out to disk but you could definitely like if you integrate this RAM clearing routine into the kernel which you probably should anyway. Yeah, exactly. Yeah, for like so it doesn't get interrupted by anything else. If you do that, like you could definitely abuse the same sort of API to just have like special memory mappings for like this sensitive data. Another method to do it on server systems would be if these server systems actually have functional memory encryption, well you just need to clear those keys and then you're also done. And I think that's actually the way forward because you won't be able to clear gigabytes of memory quickly enough and code boot attacks are a thing. So I think really what we need is like functional memory encryption on server platforms which unfortunately as far as I know isn't yet common. The second small thing is what happens when the motor breaks? Well then ideally the time, well it depends. One of two things like if you have a smart motor controller, this prototype doesn't, then the Tampa protection mechanism would probably get a message from the motor controller, hey something's off, would raise the alarm. And this prototype it would just notice that it's slowing down and raise the alarm. But this is what you want in that case, right? We can, like you can definitely add like monitoring on the like payload side, like give out like some useful error messages in that case. But the idea of in hardware security model it doesn't replace a backup, right? So if it breaks, this is a failed secure system. So if it breaks, it's gonna delete the data so it doesn't sit around unprotected. Some more questions. Okay, so you have intentionally fragile parts which are under a lot of stress with the moving PCBs. Have you looked into how long they actually managed to hold together or if they break some intentionally? Okay, so this one didn't break yet but I only ran it for like a couple of hours because it's really scary. It makes a lot of like weird noises and it like shakes like a washing machine that's like not properly balanced. In my opinion, I'm not a mechanical engineer but in my opinion the part that is most likely to break in this one is the bearings. Because for the far end from the mode, like this device uses two bearings. One on the far end looking from the motor which for that I'm not worried. You basically go to a specialty bearing online shop which I found out is a thing and you buy the nicest one you can get in a certain dimension. So this is unlikely to break. The problem is in the motor. The motor comes with a bearing already built in one or two bearings actually. And well, AliExpress is nice for buying like cheap model airplane parts but like I would not trust that bearing for a long time operation because that is not what it was meant to do. So I can imagine that that is going to be a problem but really, yeah, like really what you want to do is like you would want to get like a custom motor built that has like really high quality bearings that are gonna last a long time. But I'm pretty sure like if you don't get a custom motor like this one is probably still gonna last a couple of years before wearing out. You can also monitor for that. Like if the bearing wears out like the vibration increases and since you have an accelerometer on there anyway you can actually see that in the measurements. Like on this one you can kind of actually see the both the earth's acceleration and the shaking of the entire mechanism from the accelerometer measurements. Do you have thought about attacks on the electromagnetic spectrum? I think if you need a harsh end you have a other threat model than normal people and so it's maybe possible. Yeah, so basically the, this one is probably not what you would consider a finished design. Like in a finished design I would definitely put like some sort of like shielding enclosure around the Raspberry Pi. You also definitely want to filter the power inside the security envelope and not just rely on external power supply. In this design this large yellow box on the back is a small form factor power supply because in this design I would say it makes sense to put the power supply actually inside the security envelope in order to avoid like side channel attacks. As far as radiation, like electromagnetic radiation is concerned I think it's gonna be enough to put a shielding enclosure around the protected circuitry like literally just an aluminum can and to just not position it too close to the boundary because basically by having these things are much larger than traditional hardware security models and so basically you just, you make it really hard for somebody to stick an EM probe close enough to the SOC or whatever to actually measure anything useful by having it really big. Yeah, but definitely like if you wanna integrate one of those like it would probably be interesting to actually check out like whether it's still possible to do something at a distance but I'm pretty sure it can be prevented like reasonably well. More questions. Yes, I have heard that EOD crews use high speed water guns to blow up parts of the circuit that are responsible for igniting the explosive. As the Raspberry Pi isn't moving, aiming would be easy and then you can call put it. Yeah, sure, like this, you don't even need like water or anything like you can literally just fire a bullet from a regular gun at like the part of the circuitry that is like responsible for the mesh communication. Yeah, that is why you would need to like think about like how do you prevent like cold boot attacks on that platform? Like I think the most reasonable long-term solution is don't use a Raspberry Pi, use like either an ARM platform that has main memory encryption or use like a server platform that offers that because in these cases it's actually really hard to like, well if it's implemented properly it's really hard to boot the CPU in a way that doesn't erase the memory keys. Another thing you can do is you can mechanically definitely engineer the payload in a way that if it breaks, it's gonna break the CPU first by for example putting it into really thick steel enclosure. So that like either it doesn't break so badly that it can't still erase its keys or if it breaks so badly then you fire it so much energy added that most likely the entire circuit boards is in bits and pieces anyway after your attack. So yeah, there's gonna be like some engineering needed there for like a full scale like server implementation. More questions. Do you have a video of the thing in action? On my phone, yes, but not on my computer, I'm sorry. I can show it to you. Come to me afterwards, I can show it to you. One thing I want to say is that you could protect that part, you could shoot with also another maze. And second question I forgot right now. Perfect. Just ask again, no problem. Yeah, but basically the issue with we wrote an actual academic paper on this stuff and there we called it fast and violent attacks, right? And the issue with fast and violent attacks is you have to make sure that an attack is always gonna fall onto either of two sides either it's not gonna destroy the thing enough that it can't erase itself anymore or it's gonna destroy the thing entirely, right? And yeah, it's gonna be hard to do that in practice. You'll remember it. What about like other forces that might come into play like if you want to transport it or if there's an earthquake in the worst case? You sound like one of the reviewers from our paper. Sorry. No, actually we got that exact earthquake question a couple of times and this is a smart question. So the thing to consider is that I think like the, if you consider the speed that a hardware security model has to spin with to be hard to attack, this protection criterion is hardest closest to the shaft because they're the linear velocity, the tangential velocity of the circuit board traces is slowest. So I think reasonably you need like something like at least 500, 2000 rotations per minute for this to make sense. At 500, 2000 revolutions per minute at a 10 centimeter radius, you have 100 G's of centrifugal acceleration and even the strongest earthquakes or a car crash don't go much above like 10 or 15 G's. So like earthquakes are like one or two G's and car crashes are like 30 G's but that's already like you hit a wall at 50 kilometers an hour. So luckily we're good there. And if we are not like we couldn't just move the sensor further out or just make the thing faster and more dangerous. More questions. You mentioned memory clearing of DRAM to go back to that a little. So DRAM has to be actively refreshed. Have you considered telling the memory controller to not refresh the memory? Yeah, but the problem is if you don't refresh it it takes a like in human terms even a fairly long time like seconds until the data is actually decayed enough. So there is things you can do like for example one thing you can do is there's like cryptographic techniques that allow you to blow up a key. So if like for example you use like a AS128 for data encryption and you need a 128 bit key. The probability that all 128 bits are still intact might be high but then what you can do is you can generate these 128 bits only when you need them out of like 10 megabytes of source material. And then if any of the bits in these 10 megabytes fail the key can't be regenerated that way. So like there's a bunch of stuff you can do there on the software side but like most likely you will still need like some active intervention in case you want to like quickly get rid of the data. I just heard about that when you attack the Raspberry Pi that then you could just have it stop spinning but couldn't you have like a mechanism that detects missing communication between those two and make it spin faster so it starts like destroying itself, 1,000 RPM is already fast. The problem is the Raspberry Pi is in the middle and if it spins faster the shards are gonna fly outside like outwards. And what if, yeah okay. To get like in the same spirit like I have read references to military systems which apparently actually contain explosives for that purpose but I have like my employers willing to pay for a bunch of stuff I don't think I will be able to convince them to pay for an explosives license though it would be extremely fun. Yeah, more questions. It sounds a bit like a thing. I see one question over there like they're raising their hand for a long time. Richard. Talking about the erasing system if you cool it down really quickly could this prevent delating the memory fast enough? So it depends like if you use like actual memory encryption the part that needs to be deleted is SRAM and SRAM there's also temperature dependence there but it is not the subject to the same kind of cold boot attack that DRAM is. So in that case it wouldn't work. The other thing is if you enclase the like payload computer Raspberry Pi, mainboard whatever and like at least like don't know five millimeters of steel plate and a bunch of epoxide resin you are not going to be able to cool it down quickly enough that it won't like trigger its internal temperature sensors in time. Thank you. Welcome. More questions coming. Yes. You mentioned you had an octocoupler which communicates with spinning and non-spinning part which kind of data is flowing through there? So currently between the like in our prototype framework between the spinning and non-spinning part we talk like a fairly simple serial protocol so we just use the UART that is built into both the micro controller and the Raspberry Pi. We packetize first, we have some checksums there we do noise protocol on top of that for like a like both like two way like cryptographic authentication and then we just transmit like the Raspberry Pi side sensor nonce and the micro controller side echoes that basically and sends along the measurements of the accelerometer. So that way if the Raspberry Pi side detects that it hasn't received a reply with a valid checksum and nonce in a certain time couple like milliseconds basically and then it will like trigger the alarm on its end simply for a time out. Okay so it's not quite a possible attack vector to have a stronger light signal to override the communication. It's a good idea. Like that's why you basically for that specific reason you have to use like a authenticated protocol and you have to use a two way interface. Like it doesn't, it's not enough to just send from the rotor to the stator part from the rotor to the Raspberry Pi like one way a I'm okay signal even with cryptographic authentication an attacker could like listen in on that and replay it, right? And even if you prevent replaying an attacker could listen in on that and simultaneously replay it one percent slower than real time and he would never be able to notice because there is just some inaccuracy in clocks anyway. So you have to basically constantly ping the like from the Raspberry Pi ping the rotor and give it like some kind of like challenge to for itself to prove that it's still alive and doing its thing properly. Okay, thank you. You're welcome. Will it be silent enough to put in my bedroom? Absolutely, well, I won't say absolutely not. I think purely from the fundamental technology, sure because fundamentally this is nothing but a very fancy computer case fan. So you could probably build one that is silent enough. Personally, I think it would be really hard to do that because basically at a thousand RPM even a super tiny imbalance in like the construction of it like you use too much solder here and too little solder there is gonna mean it's gonna shake. So I think this is something you probably put it in like a hacker space in the corner of the room and nobody would like take too much notice in a room where there's like refrigerators and 3D printers and other technology running all the time anyway but like I wouldn't wanna sleep next to it. From my experience from model flying RC helicopters you need to balance it damn good. Yeah. Have you considered actually using a washing machine? Yes, yes. Issue with washing machines is again, well, main issue with washing machines is they're like the motor is like a hundred times bigger than you need it to be which makes it like just much more hassle to work with. The other issue is like I think using these gimbal motors with a hollow shaft makes it really easy to construct. The one thing I have actually also considered using instead is just buy a regular industrial fan like a case fan for like a industrial machine and use that as a motor, just cut off the blades and like stick it on like some 3D printed part because they're actually kind of the right, like the right rotation speed and also the right power rating for this to make sense. So like I think like a Raspberry Pi or laptop size one would need like 10 watts maybe for the fan motor on average and I think a server size one might need like 20 watts for the motor but you don't really need like 500 watts or whatever a washing machine might have. Yeah, yes. Have you at these and how small you can build this thing? Maybe size of an HDD or something then you can build it in a notebook or something. That's a great idea. I have thought about like if you could build a really small one, I think the best approach there would be to use like a computer fan because they have like fairly miniaturized motors already. I haven't actually planned anything in that direction yet because I think the issue then is going to be like what are you going to run inside? If you could maybe put like something like a microcontroller in there and use it as a fancy UB key maybe. Would technically probably be possible even with a hobbyist budget. It's less exciting, it's not going to be as loud and dangerous. You mentioned you will have a hollow shaft for the motor. So how do you prepare and how do you like prevent any attacks through that shaft if it's hollow? Super good question, I'm surprised it only came up now. So yeah, the main weakness of this design from a conceptual standpoint is the shaft because the one point where the rotation, like the tangential velocity is zero is like right at the shaft. So at the shaft you can like actually stick something like a probe or needle into the device. I think for the short term, simply building it like this and like gluing up the shaft with a bunch of epoxide resin and adding some like maybe some security mesh on the underside of it is definitely going to be enough to prevent like even a well-determined attacker from like achieving anything. In the long term, I think it would be possible to just have it rotate around more than one axis, right? You can have the shaft, for example, if it's spinning like this, you can have the axis of rotation precess like a spinning top. That would work. Another thing you could do is you could have it like precess like this. That would also work. Another thing you could also do is on the underside of the shaft where it enters the thing. You could add like another second spinning plate that is simply meant as a backstop for it. So I think there's a bunch of like construction methods where how you could like make that much, much harder in practice. I would like to like actually build that thing before I try any of that out. You mentioned before you're gonna make this open source which I really appreciate because this is dope. Thanks. So when you make this whole project open source, will you also open source the PCB design so I can literally just like download that and send it to like a company to print or make those PCBs or is it figure it out yourself? So the plan is both. Like I definitely wanna have like a, well, I definitely wanna have like some detailed guide. I'm not gonna like build a click point and click program but I wanna have like a detailed guide. So if you have like this weird shaped like Linux computer board, like that you found in your like started and never finished project spin and you wanna make it into a hardware security model that you can like with a reasonable effort like make one with the dimensions you need. But also I definitely wanna take this Raspberry Pi design and like develop it to the point where like you can literally download the PCB files and then send them off for manufacturing. Primarily because this mesh generation process since you need like my custom plugin for Keycard and also Keycard plugins are like kind of bad at the moment like it crashes a lot, not my fault that I would like to spare you that pain. So I'm want to like have something there to download when this design is like actually in a better state than it's right now like when it's in at least better stage. Excuse me. All right, any more questions? More questions? All right, well I don't know when the next talk is but I can keep question and answering. So right now you're basically using a cage that spins around. Yes. Did you consider actually spinning the Raspberry Pi? Yes, that was my first idea but then I was like, hey that's kind of not very useful because then you have to like somehow transmit data and power like quite a lot of power and data to the spinning part. It would be easier to construct but the power and data problem is large enough that I think it's worth going through the effort to like have this like concentric two-layer design instead. Well you could have the inertial measurement unit on the PCB itself right next to Raspberry Pi so you wouldn't have to have the optical communication between those so you could right next to it and maybe even in the future build it inside the SOC. So if you think about you put the IMU into the SOC you couldn't even try to tamper with the IMU because it's inside and you could bypassing the software, clearing the RAM by letting the IMU send a signal to like the SOC RAM and clear it so you didn't even have to use the software for it. So that could be something that you spin the whole board or maybe even have a cage around it and spin the board inside in the other direction. Yeah that's a good idea. That would make it practically even even if you were to be able to intercept the optical communication between the cage and the actual main board you still would notice it because the PCB wouldn't rotate anymore. Yeah I think that's a good idea. The I think really the for me it was like I found the engineering challenge of like putting Gigabit Ethernet through rotating joint to be higher than the engineering challenge of like having it in these two layers but you can do both and a variation of that concept would be if you move the entire thing anyway like you don't necessarily have to have it rotate. Like for example a hardware security module being really fast in a linear acceleration would basically be a computer on an airplane, right? So if you can figure out a way to make that thing think about it. If you manage to build a like solar powered UAV or whatever that never ever has to land and you make it, build it in a way that it will notice when it's getting shot down then you basically have built something like that. If something goes wrong mechanically how dangerous would the device be to a person standing next to it? With or without enclosure? So without enclosure I would say this is about a four out of 10 on a scary scale. I think you can like if you actually build one of these you can definitely put it in a sufficiently thick steel enclosure that nothing is gonna happen. Like you might find like fiberglass charts flying out of the rear wind of the thing but like you can definitely shield it adequately. I mean a washing machine is the same thing and a washing machine is spinning like 10 kilograms of clothes as well. So I think it's reasonable to like it can reasonably be built so to be like not dangerous at all to somebody standing nearby. I have a second question. If you're already considering that you just want to blow up the keys or not everything, couldn't you also downsize it to something that is holding the keys? Yeah, sure. Like you could definitely replace the Raspberry Pi by some purpose-built, like well not even purpose-built by some microcontroller like basically using a similar hardware as it's used in the UB key or one of these cryptocurrency wallets. That would make the key erasure much much easier because these microcontrollers they have SRAM so they can erase the entire memory contents and like literal microseconds. On the other hand, I think that's much more boring. I think it's much more interesting to put the entire like I like the dumbness of this approach. Like instead of thinking about how do we separate our application into the keys and the key management API and the application and the like just running a fucking round cube on the thing and be done with it. I just like how like brute this is. Thank you. There's time for a very short question. Otherwise I'm somewhere in the hack center like next to one of, oh shit there's probably more than one of the like red star with the keyboard slacks like I'm one of one of those. Oh, what's the reaction time between actually stopping the device and starting the deletion? Depends on the sampling rate of your accelerometer but in case of the one I used here it's an accelerometer made for triggering airbags in cars so it samples at about a kilo sample so less than a millisecond on average. Thank you. Thank you to the audience for the many questions and interesting questions. Yeah, I guess you mentioned where you located here. I think right now I'm gonna be outside here for a bit and then in the hack center. Thank you.