How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty
Upcoming SlideShare
Loading in...5
×
 

How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty

on

  • 9,225 views

We will present the common elements and basic mechanisms of modern tamper-evident seals, tags, and labels, with emphasis on attack and circumvention. Adhesive seals, crimp seals, wire wraps, fiber ...

We will present the common elements and basic mechanisms of modern tamper-evident seals, tags, and labels, with emphasis on attack and circumvention. Adhesive seals, crimp seals, wire wraps, fiber optic seals, electronic, chemical, biological, and make-shift seals will be dissected, examined, and explained, with emphasis on their shortcomings and circumvention techniques. We will also present an overview of typical applications for tags, seals, and labels, including covert traps and uses ranging from consumer goods to loss reduction to government secrets.

Statistics

Views

Total Views
9,225
Views on SlideShare
9,217
Embed Views
8

Actions

Likes
2
Downloads
95
Comments
0

1 Embed 8

https://twitter.com 8

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty Presentation Transcript

  • How to Steal a Nuclear WarheadWithout Voiding Your XBox Warranty
    An Introduction to
    Tamper-Evident Devices,
    Applications, Design, & Circumvention
    Jamie Schwettmann & Eric Michaud
  • The Way Things Will Go
    What are Tamper-Evident Devices & Why Should I care?
    The Proof is in the, uhm, …what Proof?
    Types of Devices:
    Adhesives, Inks, and Sealants
    Wraps, Seals, Physical Barriers
    Optics, Electronics, and Alarms
    Other Unique Devices
    Tag, You’re it! Attacks and Bypasses
    Seal the Deal! Risks and Implications of Tamper, from Real-life Scenarios
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • What are Tamper-Evident Devices and Why Should I Care?
  • What are Tamper-Evident Devices?
    These are not the tags and seals you’re looking for.
    Move along.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • What are Tamper-Evident Devices?
    Definition:
    Any tag, seal, alarm or other indicator which can be employed to evidence unauthorized intrusion or alteration to a container, room, building, device housing, or other material is a tamper-evident device.
    Materials secured by such devices are often said to be “sealed”
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • What are Tamper-Evident Devices?
    Humans learned tamper-evidencing from Nature
    Probably Safe to Eat
    Probably
    NOT SAFE to Eat
    Photos: Jamie Schwettmann
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • What are Tamper-Evident Devices?
    At least 7,000 years ago, intricate stone carvings were pressed into clay to seal jars and later, writing tablets.
    Photo: uriel_1998
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Why Should I Care?
    Everybody’s doing it…
    And so are YOU.
    Avoid lawsuits and recalls
    Shrink & fraud reduction
    Quality assurance
    Don’t trust the messenger… check for tampering.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • The Proof is in the… … uhm, what Proof?Inspection Methods andEvidence
  • The Proof: Inspection Methods
    Casual Inspection (duh, it’s broken)
    NO SPECIAL TOOLS REQUIRED!!!
    Photo: Jamie Schwettmann
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • The Proof: Inspection Methods
    Blink Comparison
    Photo: Jamie Schwettmann
    One of these things is not like the others…
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • The Proof: Inspection Methods
    Blink Comparison
    Photo: Jamie Schwettmann
    One of these things is not like the others…
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • The Proof: Inspection Methods
    Traps and Alarms
    Designed to automate notification of tampering
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • The Proof: Inspection Methods
    Rigorous Scientific Examination
    Materials Analysis
    Xray, UV, and Microscopy
    Circuit Verification
    Chemical Testing
    Checksums and Hashing
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Types of Devices
  • Adhesives, Inks, & Sealants: Characterization
    Adhesives
    Bonds to surface
    Overt removal damages surface or film barrier
    Inks, Marks, & Stamps
    Visually broken by tampering
    Sealants
    Similar to adhesive
    No film or other barrier necessary
    Photo: Joe Shlabotnik
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Adhesives, Inks, & Sealants: Circumvention
    Thermal Stressing (best)
    Heat: hair dryer or heat gun
    Cold: freezer or dry ice
    Solvents (may be messy)
    Alcohols
    Acids
    Petrochemicals
    Mineral Oil
    Water or Steam
    Needles & Razor Blades
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Wraps, Crimps, Physical Barriers: Characterization
    All require material rupture to evidence tampering.
    Wraps:
    Cover or surround container or device
    Sealed with heat, adhesive, or mechanically crimped
    Plastic, paper, or foil films
    Crimps:
    Mechanical or heat-pressed seal
    Metal, plastic, paper, foil
    Other Physical Barriers:
    Wire wraps, zip ties, cup seals, pull-tabs, break-away caps, perforated films, tapes, blisterpacks, band seals, bolt locks, plastic padlocks, dangle-tabs, rivets, etc.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Wraps, Crimps, Physical Barriers: Circumvention
    Most require physical manipulation or modification, followed by reinstatement of seal
    Many can be shimmed
    Thermal Stress still helps
    Custom tools may be required
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Optics, Electronics, Alarms: Characterization
    Unifying feature: Sensors
    Optical Devices
    Beam-break
    Motion detection
    Often trigger other events
    Electronic Devices
    Any kind of switch or sensor may be used
    RFIDs!!! SERIOUSLY!?
    Alarms
    Active alert of breach
    Often connected to electronics (not always)
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Optics, Electronics, Alarms: Circumvention
    Automation makes humans lazy => less examination may occur!
    Electronic devices have inherent sampling rates and trigger tolerance – events outside these won’t trigger
    Inline signal and alarm bypasses may be available
    Devices operating on a network may be susceptible to additional attacks
    Many are themselves tamper-evidenced with physical methods
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Tag, You’re It!Attacks, Bypasses and Circumventions
  • Bypass of Wire Wraps
    Classic Coke shimming method
    Requires:
    Razorblade
    Coke
    Photos: Gabriel Lawrence
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Barriers: Bypassing Films and Stickers
    Go a little MacGuyver
    Fishing Line/Mint Dental Floss
    Goo Gone/Acetone/Similar Solvents
    Hypodermic Needle
    Sewing Needles
    A steady and patient hand
    Heat Gun
    Attack the containers skip the Seals!
    Photo: Gabriel Lawrence
    Photo: Gabriel Lawrence
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Barriers: Attacking Bolt Seals
    Two methods:
    Dissolve. Shim, or drill retaining ring, then replace
    Cut head off, add screw and Loctite
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Barriers: Attacking Bolt Seals
    Two methods:
    Dissolve. Shim, or drill retaining ring, then replace
    Cut head off, add screw and Loctite
    1
    Retaining Ring
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Barriers: Attacking Bolt Seals
    Two methods:
    Dissolve. Shim, or drill retaining ring, then replace
    Cut head off, add screw and Loctite
    1
    Drill here
    Retaining Ring
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Barriers: Attacking Bolt Seals
    Two methods:
    Dissolve. Shim, or drill retaining ring, then replace
    Cut head off, add screw and Loctite
    Cut as high as possible
    2
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Bypass Bolt Barrier Seals
    Polycarbonate Seals are prone to material removal
    Insert tool in hole on base with nail or chisel then spin plug till it releases.
    For Metal plugs make custom shim
    To reseal press plug back in.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Bypass Bolt Barrier Seals
    Sometimes it’s easier to attack the container
    • Drill out the rivets
    • Take off a hinge
    • Cut a hole in the side
    …and then repair it.
    Photo: Thomas Hawk
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Bypass Bolt Barrier Seals
    Sometimes it’s easier to attack the container
    • Drill out the rivets
    • Take off a hinge
    • Cut a hole in the side
    …and then repair it.
    Photo: Thomas Hawk
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Bypass Bolt Barrier Seals
    Sometimes it’s easier to attack the container
    • Drill out the rivets
    • Take off a hinge
    • Cut a hole in the side
    …and then repair it.
    Photo: Thomas Hawk
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Bypass Bolt Barrier Seals
    Sometimes it’s easier to attack the container
    • Drill out the rivets
    • Take off a hinge
    • Cut a hole in the side
    …and then repair it.
    Photo: Thomas Hawk
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Bypass Bolt Barrier Seals
    Sometimes it’s easier to attack the container
    • Drill out the rivets
    • Take off a hinge
    • Cut a hole in the side
    …and then repair it.
    Photo: Thomas Hawk
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Circumventing Cup Seals
    Similar to removing a water bottle cap…
    Shape a stiff piece of metal into a hook, insert/twist/depress tangs and repeat
    To reseal, reset tangs, then press cap back into place
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Breakaway Tags/Padlocks
    Shimming and chiseling work well for these padlocks.
    Splitting down side then careful re-gluing works also
    Heat Gun to replace physical distress marks
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Breakaway Tags/Padlocks
    Chisel
    Shim
    Re-glue
    Insert Shims/Chisels at entrance, either reset or glue.
    Photo: timlewisnm
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Breakaway Plastic Bands
    Plastic Bands
    Chisel the restricting tips
    Heat Gun to reset color of physical stress indicators
    Spread Heat over physically distressed areas
    Insert chisel here and chop!
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Bypassing Metal Band Seals
    Many Mechanisms simply beaten with bent pieces of metal
    Photo: Gabriel Lawrence
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Wax Seals Defeats
    Thermal Stressing
    Hot air Gun to make pliable
    Canned Air to cause shrinkage and removal then reheat to reapply
    Photo: Joe Shlablotnik
    Photos: Gabriel Lawrence
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Defeating Envelopes
    Steaming still works!
    but if it doesn’t, other solvents probably will!
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Seal the Deal! Risks and Implications of Tamper:Real-World Scenarios
  • Scenario One: The XBox Tamper Seal
    Easily removed unscathed with a hairdryer and razor blade.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Scenario Two: Drug Tests Anyone?
    Who relies on a clean test to keep their jobs and clearances?
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Scenario Three: This Pepsi Stings
    Remember the summer of 93?
    It’s a long time ago, I know…
    Rumors of Syringes in Pepsi cans
    Turned out to be a hoax, but severally harmed the image of Pepsi
    Your Assembly Process is part of the Tamper-Evident system also!
    Even though it was hoaxed by many copy-cats, Pepsi had to release ads and the FDA had to get involved.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Scenario Four: Chicago Tylenol Murders
    Potassium Cyanide is my
    drug of choice…
    What happened?
    Deaths from Cyanide-laced
    Extra Strength Tylenol, 1982-1986
    On some bottles, the seals had not
    been broken
    Results:
    On October 5, 1982, Johnson & Johnson issued a nationwide recall of Tylenol products; an estimated 31 million bottles were in circulation, with a retail value of over$100M.
    Johnson & Johnson went from 38% of sales to 8%
    It did rebound after a year, …but not without the loss.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Scenario Four: Chicago Tylenol Murders
    Unsolved mystery
    No killer has been found… the case is still open
    J&J claims the bottles were tampered on the shelves
    No evidence of post-production bottle-tampering was found
    Monsanto, also in Illinois, filed patent 4439453for tableting acetaminophen in Sep 1982, just a week before the Tylenol murders began…
    A change to the industry
    Federal Anti-Tampering Act (1983)
    Capsules replaced by tablets
    …industry-wide
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Scenario Five: Now where did I leave that fissile material?
    The IAEA details transportation requirements and does inspections.
    Represents the UN and the Security Council
    Lost Source Incidences
    Rogue States – DPRK Anyone?
    Material Sold to Non-Security Council countries
    Photo: ANL VAT
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Conclusions…
  • Conclusion
    If possible,
    avoid
    attacking
    the seal
    directly.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Conclusion
    If possible,
    avoid
    attacking
    the seal
    directly.
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Conclusion
    Image: TshirtHell.com
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • Additional Resources
    Your local arts, crafts, and hardware store!!
    Tamper-Evident Devices:
    Journal of Physical Security
    (Argonne National Laboratory Vulnerability Assessment Team)
    Insecurity of Drug Testing:
    Journal of Drug Issues
    Freight Container Mechanical Seals: ISO/PAS 17712 (2010)
    J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
  • For a Seal-Clubbing Good Time Call
    Jamie Schwettmann
    Em: jamie@i11industries.com
    Tw: brink_0x3f
    Eric Michaud
    Em: eric@i11industries.com
    Tw: EricMichaud