How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty

How to Steal a Nuclear WarheadWithout Voiding Your XBox Warranty
An Introduction to
Tamper-Evident Devices,
Applications, Design, & Circumvention
Jamie Schwettmann & Eric Michaud

The Way Things Will Go
What are Tamper-Evident Devices & Why Should I care?
The Proof is in the, uhm, …what Proof?
Types of Devices:
Adhesives, Inks, and Sealants
Wraps, Seals, Physical Barriers
Optics, Electronics, and Alarms
Other Unique Devices
Tag, You’re it! Attacks and Bypasses
Seal the Deal! Risks and Implications of Tamper, from Real-life Scenarios
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011

What are Tamper-Evident Devices and Why Should I Care?

What are Tamper-Evident Devices?
These are not the tags and seals you’re looking for.
Move along.

Definition:
Any tag, seal, alarm or other indicator which can be employed to evidence unauthorized intrusion or alteration to a container, room, building, device housing, or other material is a tamper-evident device.
Materials secured by such devices are often said to be “sealed”

Humans learned tamper-evidencing from Nature
Probably Safe to Eat
Probably
NOT SAFE to Eat
Photos: Jamie Schwettmann

At least 7,000 years ago, intricate stone carvings were pressed into clay to seal jars and later, writing tablets.
Photo: uriel_1998

Why Should I Care?
Everybody’s doing it…
And so are YOU.
Avoid lawsuits and recalls
Shrink & fraud reduction
Quality assurance
Don’t trust the messenger… check for tampering.

The Proof is in the… … uhm, what Proof?Inspection Methods andEvidence

The Proof: Inspection Methods
Casual Inspection (duh, it’s broken)
NO SPECIAL TOOLS REQUIRED!!!
Photo: Jamie Schwettmann

Blink Comparison
Photo: Jamie Schwettmann
One of these things is not like the others…

Traps and Alarms
Designed to automate notification of tampering

Rigorous Scientific Examination
Materials Analysis
Xray, UV, and Microscopy
Circuit Verification
Chemical Testing
Checksums and Hashing

Types of Devices

Adhesives, Inks, & Sealants: Characterization
Adhesives
Bonds to surface
Overt removal damages surface or film barrier
Inks, Marks, & Stamps
Visually broken by tampering
Sealants
Similar to adhesive
No film or other barrier necessary
Photo: Joe Shlabotnik

Adhesives, Inks, & Sealants: Circumvention
Thermal Stressing (best)
Heat: hair dryer or heat gun
Cold: freezer or dry ice
Solvents (may be messy)
Alcohols
Acids
Petrochemicals
Mineral Oil
Water or Steam
Needles & Razor Blades

Wraps, Crimps, Physical Barriers: Characterization
All require material rupture to evidence tampering.
Wraps:
Cover or surround container or device
Sealed with heat, adhesive, or mechanically crimped
Plastic, paper, or foil films
Crimps:
Mechanical or heat-pressed seal
Metal, plastic, paper, foil
Other Physical Barriers:
Wire wraps, zip ties, cup seals, pull-tabs, break-away caps, perforated films, tapes, blisterpacks, band seals, bolt locks, plastic padlocks, dangle-tabs, rivets, etc.

Wraps, Crimps, Physical Barriers: Circumvention
Most require physical manipulation or modification, followed by reinstatement of seal
Many can be shimmed
Thermal Stress still helps
Custom tools may be required

Optics, Electronics, Alarms: Characterization
Unifying feature: Sensors
Optical Devices
Beam-break
Motion detection
Often trigger other events
Electronic Devices
Any kind of switch or sensor may be used
RFIDs!!! SERIOUSLY!?
Alarms
Active alert of breach
Often connected to electronics (not always)

Optics, Electronics, Alarms: Circumvention
Automation makes humans lazy => less examination may occur!
Electronic devices have inherent sampling rates and trigger tolerance – events outside these won’t trigger
Inline signal and alarm bypasses may be available
Devices operating on a network may be susceptible to additional attacks
Many are themselves tamper-evidenced with physical methods

Tag, You’re It!Attacks, Bypasses and Circumventions

Bypass of Wire Wraps
Classic Coke shimming method
Requires:
Razorblade
Coke
Photos: Gabriel Lawrence

Barriers: Bypassing Films and Stickers
Go a little MacGuyver
Fishing Line/Mint Dental Floss
Goo Gone/Acetone/Similar Solvents
Hypodermic Needle
Sewing Needles
A steady and patient hand
Heat Gun
Attack the containers skip the Seals!
Photo: Gabriel Lawrence

Barriers: Attacking Bolt Seals
Two methods:
Dissolve. Shim, or drill retaining ring, then replace
Cut head off, add screw and Loctite

Two methods:
1
Retaining Ring

Two methods:
1
Drill here
Retaining Ring

Two methods:
Cut as high as possible
2

Bypass Bolt Barrier Seals
Polycarbonate Seals are prone to material removal
Insert tool in hole on base with nail or chisel then spin plug till it releases.
For Metal plugs make custom shim
To reseal press plug back in.

Bypass Bolt Barrier Seals
Sometimes it’s easier to attack the container
Drill out the rivets
Take off a hinge
Cut a hole in the side
…and then repair it.
Photo: Thomas Hawk

Circumventing Cup Seals
Similar to removing a water bottle cap…
Shape a stiff piece of metal into a hook, insert/twist/depress tangs and repeat
To reseal, reset tangs, then press cap back into place

Breakaway Tags/Padlocks
Shimming and chiseling work well for these padlocks.
Splitting down side then careful re-gluing works also
Heat Gun to replace physical distress marks

Breakaway Tags/Padlocks
Chisel
Shim
Re-glue
Insert Shims/Chisels at entrance, either reset or glue.
Photo: timlewisnm

Breakaway Plastic Bands
Plastic Bands
Chisel the restricting tips
Heat Gun to reset color of physical stress indicators
Spread Heat over physically distressed areas
Insert chisel here and chop!

Bypassing Metal Band Seals
Many Mechanisms simply beaten with bent pieces of metal

Wax Seals Defeats
Thermal Stressing
Hot air Gun to make pliable
Canned Air to cause shrinkage and removal then reheat to reapply
Photo: Joe Shlablotnik
Photos: Gabriel Lawrence

Defeating Envelopes
Steaming still works!
but if it doesn’t, other solvents probably will!

Seal the Deal! Risks and Implications of Tamper:Real-World Scenarios

Scenario One: The XBox Tamper Seal
Easily removed unscathed with a hairdryer and razor blade.

Scenario Two: Drug Tests Anyone?
Who relies on a clean test to keep their jobs and clearances?

Scenario Three: This Pepsi Stings
Remember the summer of 93?
It’s a long time ago, I know…
Rumors of Syringes in Pepsi cans
Turned out to be a hoax, but severally harmed the image of Pepsi
Your Assembly Process is part of the Tamper-Evident system also!
Even though it was hoaxed by many copy-cats, Pepsi had to release ads and the FDA had to get involved.

Scenario Four: Chicago Tylenol Murders
Potassium Cyanide is my
drug of choice…
What happened?
Deaths from Cyanide-laced
Extra Strength Tylenol, 1982-1986
On some bottles, the seals had not
been broken
Results:
On October 5, 1982, Johnson & Johnson issued a nationwide recall of Tylenol products; an estimated 31 million bottles were in circulation, with a retail value of over$100M.
Johnson & Johnson went from 38% of sales to 8%
It did rebound after a year, …but not without the loss.

Scenario Four: Chicago Tylenol Murders
Unsolved mystery
No killer has been found… the case is still open
J&J claims the bottles were tampered on the shelves
No evidence of post-production bottle-tampering was found
Monsanto, also in Illinois, filed patent 4439453for tableting acetaminophen in Sep 1982, just a week before the Tylenol murders began…
A change to the industry
Federal Anti-Tampering Act (1983)
Capsules replaced by tablets
…industry-wide

Scenario Five: Now where did I leave that fissile material?
The IAEA details transportation requirements and does inspections.
Represents the UN and the Security Council
Lost Source Incidences
Rogue States – DPRK Anyone?
Material Sold to Non-Security Council countries
Photo: ANL VAT

Conclusions…

Conclusion
If possible,
avoid
attacking
the seal
directly.

Conclusion
Image: TshirtHell.com

Additional Resources
Your local arts, crafts, and hardware store!!
Tamper-Evident Devices:
Journal of Physical Security
(Argonne National Laboratory Vulnerability Assessment Team)
Insecurity of Drug Testing:
Journal of Drug Issues
Freight Container Mechanical Seals: ISO/PAS 17712 (2010)

For a Seal-Clubbing Good Time Call
Jamie Schwettmann
Em: jamie@i11industries.com
Tw: brink_0x3f
Eric Michaud
Em: eric@i11industries.com
Tw: EricMichaud

How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty

by MichaudEric on Jan 21, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty — Presentation Transcript