Schneier on Security
A blog covering security and security technology.
« Brute-Force Safecracking |
| REAL-ID Implementation »
January 24, 2011
Hacking Tamper-Evident Devices
At the Black Hat conference lasts week, Jamie Schwettmann and Eric Michaud presented some great research on hacking tamper-evident seals.
Jamie Schwettmann and Eric Michaud of i11 Industries went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors, blow driers, and in more difficult cases with the help of tools such as drills.
Tamper-evident devices may be as old as civilization, and today are used in everyday products such as aspirin containers' paper seals. The more difficult devices may be bolt locks designed to secure shipping containers, or polycarbonate locks designed to shatter if cut.
But they all share something in common: They can be removed and the anti-tampering device reassembled.
Here's their paper, and here are the slides from their presentation. (These two direct download links from GoogleDocs also work.) There was more information in the presentation than in either the paper or the PowerPoint slides. If the video ever gets online, I'll link to it in this post.
Posted on January 24, 2011 at 1:20 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce - the link in the top-level Computerworld article doesn't point to the long long list of tamper evident devices it purports to - it goes to a page about voting system insecurity.
I haven't looked at it yet, but one that always occurred to me was things like squeezable ketchup or jelly bottles. Before first use, you have to unscrew the cap that has a nozzle, and remove the plastic/foil seal. The problem is, somebody could easily put some kind of poison on the hole in the cap that the product goes through and will come in contact with it during use. I wash these caps, but I'm kinda weird.
The paper and slides have a long list of the devices covered.
When the video by BlackHat is posted, we'll definitely link it. In the presentation we cover in much more detail the devices and classes of devices available and their defeats.
Even with only 70 minutes of time, there wasn't enough to cover all devices available as there are technically thousands if you count variations. So we broke them down into the most obvious categories of devices.
I hope this helps.
Looks great...Sorry I missed it.
Look forward to the vid.
The bolt seals are worisome. Supposedly they are the principal control for the other end (foreign ports) of US bound container shipping. Once inspected they are trusted not to have terrorist nukes in them.
Yes, that's true. Terrorists are always shipping nukes around, I don't know why that isn't the primary thrust of the story.
FYI...I havent read the research results yet but when performing FIPS 140-2 testing of tamper evident seals, which can be used on hardware modules at level 2 and higher, a FIPS lab will test them using thermal methods and common chemicals to see if they can be removed and replaced without tamper evidence.
The tamper evident seals provided by a vendor must pass these tests before they can be acceptable at FIPS Level 2 or higher.
A vendor must continue to only use those specific tamper evidence seals that have passed the test on their crypto module.
Coincidentally, Andrew Appel of Princeton University just announced a new paper about security seals on electronic voting machines (http://www.freedom-to-tinker.com/blog/appel/seals-nj-voting-machines-2004-2008). Appel was an expert witness in a lawsuit challenging the machines used in NJ.
I'm sure there's some tough seals out there, though I go on the theory that any tamper-evident seal can be defeated by a sufficiently skilled adversary. I consider it a simple proof from the assumption that anyone with physical access to something can circumvent it with enough time.
And so if anyone manages to poison my Tylenol, I guess I'll just die. 'course the tenth of a point off my BP that I get from not worrying about safety seals probably is worth more than the risk!
Well, it's almost a truism that any such safeguard can be defeated with sufficient determination and skill. That said, I've seen some "tamper seals" that just weren't trying....
Off topic: I'm sure you hate being right about this one: Moscow airport bombed. And yeah, early reports are that he hit the waiting area, presumably outside the security perimeter.
Anybody planning on travelling through certain parts of Africa or Asia and not tied down to their hotels should pay particular attention to the section on seal caps and lids. It's common practice to reassemble those for sale of dodgy water and food in recovered packaging. Some folks are really good at it, and I guess on a yearly basis they make much more victims than the occasional nuke in a container that slips by because the bolt seal has been successfully tampered with.
But I really should try that out for myself at the container yard around the corner here. I think I still have a visitor badge from a couple of years ago that is not too difficult to modify. I wouldn't even be surprised if the 4 digit pin-code to the management parking is still the same too.
@Josh O: the seal on the ketchup bottle isn't there to prevent poisoning. It's used to keep the air and dirt off the contents so it does not spoil (or at least have a better chance) while standing on the store shelf. It's for food *safety* not for *security*.
Secondary usages are to prevent the ketchup from spilling in transport and handling, also by customers rummaging through the shelves (as the nozzle itself is a poor protection from spilling if at all), to make shoplifting evident (a free mouthful of ketchup, anyone?), and - indeed - to prevent pranksters from spicing up a random bottle with pigeon sh*t.
Poisoning random food items at a department store? It's a movie-plot threat.
It's not a movie-plot threat per se: There were a couple of attempts to blackmail supermarkets in Germany by poisoning random food items.
However, the risk of spoiled food stuffs landing on the store shelf is much higher than any such blackmailing attempt would ever be.
@ Peter A.
"Poisoning random food items at a department store? It's a movie-plot threat."
No, it's not. There have been isolated incidents of people poisoning food items in department stores, such as the case of a woman poisoning baby food in Florida in 2009. I know of several other cases in Europe too, all of them acts by deeply disturbed nuts. For terrorists, it would make much more sense to try and contaminate water supplies or the food chain itself. In recent years, we've seen examples of such by unscrupulous companies, like the recent dioxin scare in Germany or the 2008 China milk and infant formula scandal that made an estimated 300,000 victims through melamine contamination of said products. The motive: plain and simple short-time profits.
Actually, tamper-evident containers may have been the origin or writing.
There were these Mesopotamian bill of lading thingies which were hollow balls with little tokens inside representing the sheep or bottles of oil or whatever. The glyphs from the tokens were impressed on the outside of the ball while the clay was still wet.
So the tokens inside verified the impressions on the outside. Cuneiform was actually a simplification.
While the tamper seals are a part of nuclear materials shipments, at least in the US, fissile material requires an escort of some kind, making tampering more of a movie plot than a feasible option. The terrorist seeking fuel would have to control the escort and the driver, and find some way to do get the fuel while not alerting the next escort that something ever happened.
Said terrorist would also have to know more details about where and when the shipment was occurring. When, especially, is safeguards information, so they would have to be involved in the process before a shipment was even scheduled.
So, despite the seal being tamper-able, it would still be difficult to steal nuclear fuel.
I've worked in a distribution center as a hostler (yard worker) and have been responsible for checking container seals. In general, I only cared if they existed, that the numbers matched any relevant paperwork and that they were attached. And for the most part, whether the numbers matched any paperwork only mattered if the containers were domestic or possibly if there was an issue later. And in many cases the seals were not even securely attached in the first place. I just filled out the paperwork (CT-PAT), noted any issues and moved on (bringing up issues would only annoy supervisors).
Tamper proof seals aren't. And if the end user doesn't check for tampering they are at best a deterrent. Relying on them for security is absurd.
Sorry to be a party-pooper but it is a very simplistic and not so scientific piece of work. It is obvious that a lot of security measures are designed to be "good enough" and should be cost effective. Seals come in all sorts of flavors and features. If you protect a cheap XBOX i dont think you are going to use an expensive seal, made for protecting high-value targets.
There are a lot of low-level adversaries out there and even a simple seal will be good enough for them. There are few high-level thiefs or whatever, and against them you need much better measures.
The bottom line - there is no real market drive for high security.
The main problem is not the security of the seal but rather security designed around a single layer. Good security should be an onion (forgive the pun) with many layers. If you skip this rule nothing else matters.
Regarding electronic seals - the problem is always the sensors and not the ability to mark an event in a way that cannot be reversed. good sensors = good security, bad sensors = game over.
@salach What does market drive have to do with the scientific value of the findings?
Facts === facts, whether they're applicable to the market or not is irrelevant.
Now if the paper says nothing new and doesn't matter a jot, that's a different accusation...
I never intended to downgrade their work, but just ask any decent truck driver that moves containers back & forth and you will hear many stories about bypassing seals to earn a few bucks from this.
Nothing new here, although fun to read.
It seems there is a trend to make such (fun) work look like scientific research, using catchy titles so we end with a lot of fun stuff but little news.
The guys that submitted this are perfectly OK and did a nice job, but nowadays you see a lot of stuff from universities etc. that is like this and can hardly be called scientific research.
This kind of seal tampering has been great sport for my students for many years - as previous posters have noted there are whole economies based on this kind of tampering and it's very easy to defeat. The real purpose is relief of liability (regulations simply require "tamper indication" and are very vague about what that is).
If it makes you feel any better, the DOE waved off on tamper indication on its "3013" Plutonium containers in favor of "better record keeping".
That makes me feel much better.
Sorry to disappoint, but the subtitle of the talk was "Introduction to Tamper-Evident Devices...", with emphasis on "Introduction." It's true that there isn't much newly discovered information here, if any at all. We dutifully described the relationship of tamper-evident devices to a larger security policy, and noted that security decisions must be balanced against risk and threat model.
We also emphasized the importance of inspection and evidencing techniques alongside the attack techniques, so that hopefully this information can help to train better inspectors in the case of higher-risk situations.
Your claim of a lack of market drive is easily rebutted by pointing to a new ISO standard for high-security bolt-lock devices, as mentioned in the slides, an increased production and use of tamper-evident devices across the board, and the standing-room situation we walked into at BlackHat to give this talk. Come to think of it, all the scenarios at the end of the presentation were market drives as well. Are you sure you read it?
I also haven't seen any "scientific" works with "catchy titles", especially coming out of Universities. Surely if this is a trend, you can point to a few of them?
Regarding electronic seals, you say yourself that good security comes in many layers, and then immediately equate good sensors to good security. If you actually read the work we published on this topic, you'll notice that the system doesn't end at the sensors. Good sensors may well lead to too much focus on sensors and not enough on comprehensive security policy.
We plan to be presenting this and more advanced information, including original research, as well as offering workshops and collaborating with competition organizers throughout the year. So, please don't be upset if this brief Introduction didn't satiate you... there's plenty more to come. ;)
@ Jamie Schwettmann,
"I also haven't seen any "scientific" works with "catchy titles", especially coming out of Universities. Surely if this is a trend, you can point to a few of them"
If you go look at the Cambridge Labs website ( http://www.lightbluetouchpaper.org ) you will see a few years ago they were poping out paper after paper about basic physical security stuff. Most of which I was well aware of when I was preteen from making my own curious experiments, and I had assumed that everybody else was as well. Which you will realise was a real eyeopener/brow raiser for me.
The reason for this "lack of knowledge" was not that it was unknown (it was) but "trade secrets" of "the guilds". Basicaly they found these faults and kept their mouths shut and only talked about it "in guild" meets, because otherwise they would be seen to be liable for the failings of their systems or be unable to profit by them.
Mat Blaze ( http://www.crypto.com ) liffted the lid on this little nest of vipers when he unknowingly went up against the "locksmithing guilds" and showed without doubt that most of their "security enhancments" where actually the exact opposit.
In essence after a little thought anyone will realise that there is not nor will there ever be an unpickable mechanical lock due to simple mechanics and the laws of nature which engineers call "tolerance" giving rise to "slop". The best that can be achived is those that "fail hard" when they are overly obviously tampered with (think of the "break glass" supports in safes that shatter if subjected to various energy inputs).
Which nicely brings me around to your comment to salach above,
"Your claim of a lack of market drive is easily rebutted by pointing to a new ISO standard for high-security bolt-lock devices, as mentioned in the slides, an increased production and use of tamper-evident devices across the board..."
As you may be aware this renewed interest is due to the realisation that the likes of CCTV are ineffective in one vital respect, "they are only passive observers" they (currently) have no inbuilt intelligence and thus have to be watched or reviewed at some later point in time.
That is if left to themselves many systems not just CCTV fail to give warning of activity that might have been of relavance untill long after it was discovered some other way (usually post breach).
Tamper evident systems if specified and importantly used correctly will give warning of such activity fairly quickly.
As such they can be seen in a similar light to many other physical security systems in that they will if used properly buy "response time" in which appropriate human response will (hopefully) arive to investigate / prosecute action against any entity present.
Thus the explicit points people need to remember about tamper evident indicating systems is,
1, Tamper Evident indicators need to be specified correctly and also instaled correctly (no point putting a safe door on a tent).
2, Tamper Evident indicators need to be regularly inspected at time intervals less than half the expected resistance of the weakest physical time delaying measures employed in the system.
3, The person doing the inspection needs to be competant in both the inspection and as importantly what to do when tampering is indicated.
4, That in a well thought out system there are no "false positives", only "human conditioning", thus a Tamper Evident indicator warning must be investigated and then reset/replaced immediatly, otherwise the system will fail from that point onwards.
As you note,
"Good sensors may well lead to too much focus on sensors and not enough on comprehensive security policy."
Oddly "good sensors" also have the opposit effect and encorage "magical thinking", that is those not very familiar with the way they work and their limmits imbue a sense of "infallibility" in them. Thus as they put them in systems the actually open up glaring security holes, that they would not otherwise have done. In essence it is the same failed thinking as that of the likes of "hashing entropy into existance" in crypto systems.
Yes Tamper Evident Indicators will improve security BUT ONLY when those fully cognizant of their limits in scope and use deploy them, otherwise they are only so much "security theater" or worse "ticks on an auditors checklist".
It is this second point we realy have to watch out for because it is one of the very major points where security fails over and over and over..... again and again. Because the systems are not designed to be secure but only to meet a known checklist the auditor uses and, as the auditor is usually payed by the company designing the system there is little or no incentive to design a secure system.
In fact in many cases the exact opposit occurs as the new securiy design has to cost less than the ROI on the insurance saving...
Such are the joys of "externalising risk" a point Bruce makes from time to time (not as much as I would like ;)
P.S. if you have a hunt on Matt Blazes site you will find work he has refrenced on "tamper evident" seals and indicators.
"If you go look at the Cambridge Labs website ( http://www.lightbluetouchpaper.org ) you will see a few years ago they were poping out paper after paper about basic physical security stuff...
The reason for this "lack of knowledge" was not that it was unknown (it was) but "trade secrets" of "the guilds"."
This much is obvious, and doesn't remove the need for open publication of the topics. Eric and I are involved in many educational endeavors, and you can expect to see us handing out basic information on a variety of topics. In our spare time, we teach lockpicking to children.
The link you mention is a blog, and I'd rather not sift through the entirety of the largely unorganized content to figure out which posts might have papers linked on this topic. Can you link to a purportedly scientific paper with a "catchy title", as salach has claimed? Ours isn't a journal publication, and isn't masquerading as original scientific research. It's a conference proceeding on an Introduction to the topic.
I'd simply like to see evidence of anyone trying to "pass off" basic information as "scientific research" with a "catchy title" before conceding that a "trend" exists, and even if it does, this work doesn't fall into it. Apologies for the skepticism, but I'm not the party making claims here.
Aside from that, the points you make are as basic and valid as the ones I made previously, and strikingly similar to the ones given in our oral presentation. Thanks for the elaboration. :)
As far as we know, there hasn't previously been much (or any) organized public presentation made on circumvention methods for tamper-evident devices, and many people involved in decisions, policy-making, use, and inspection of these devices aren't as educated about the topic as you and I. We can agree about best practice and rational security policy all day long between us, and it won't help the larger audience.
Presentation of basic information such as this is aimed at raising awareness and allowing a larger population to enjoy more conscious security choices in product and protocol, which hopefully will cause the necessary market feedback to inspire more conscious design. Everyone benefits from education, whether it's original research or not.
@ Peter A.
"the seal on the ketchup bottle isn't there to prevent poisoning. It's used to keep the air and dirt off the contents so it does not spoil"
No, a cap would be sufficient. The cap on wine bottles, for example, have no separate seal inside yet the contents do not spoil.
More to the point, ketchup is often kept at room temperature for long periods of time with only a cap. Even without the cap it should not spoil from air, as I mentioned a while ago.
@ Jamie Schwettmann
"In our spare time, we teach lockpicking to children."
Why children? Can't you pick on someone your own size? But seriously, is this because you have children that you would be spending your spare time with anyway (it's not really about them)?
"there hasn't previously been much (or any) organized public presentation made on circumvention methods for tamper-evident devices"
Er, do you mean to say previous public information is not qualified as "organized" because it was not in Power Point format or because it was not at an expensive conference?
Right about now Harry Houdini is rolling in his lock and chain-covered coffin.
There has been very public and widespread debates about tamper-evidence related to assassinations (e.g. Mossad's poison toothpaste and coat-hanger-to-set-a-door-chain), not to mention security theory (e.g. the evil-maid conundrum)
In other words I have seen a long and colorful history of public information and presentations on circumventing tamper-evident devices from wax seals to foil, glue and tape. There is much to be found in the news, mystery novels as well as historical works such as the Poisoner's Handbook. And then there's the directly comparable stuff...
"For copies of the VAT papers and presentations on a wide variety of physical security issues (tags, seals, product counterfeiting, vulnerability assessments, RFIDs, GPS, nuclear safeguards) contact Roger G. Johnston."
"Tamper-Indicating Devices and Safeguards Seals Evaluation Test Report", Sandia National Labs, (SAND93-1726) 1993
Here's a public presentation example I should have included, by Roger G. Johnston, Los Alamos National Laboratory, in 2002:
"Tamper-indicating devices (tamper-indicating devices) are meant to detect unauthorized access, entry, or tampering. [...] We studied 198 seals and demonstrated how all can be defeated quickly using low-tech methods available to almost anyone. The seals ranged from inexpensive low-tech seals to expensive high-tech seals."
Very interesting article, thanks. I do note that your list of inspection methods doesn't include the one I was taught.
Years ago, I worked at a place with a vault which was accessed rarely, and normally had seals on the door and locks. For a while I was one of the people tasked with inspecting the seals at randomly but frequent intervals, and I received a 2 hour lecture on what to look for.
The gist of the lecture was that we couldn't become forensic analysts in 2 hours but you could make life darned hard for the opponent if you knew precisely what to look for. These were adhesive based seals, and the known forms of attack were solvents, heat, cold, separation by a thin blade, and substitution.
The instructor, who obviously practised this a lot, had samples of good seals and ones tampered by various methods and with varying degrees of skill. But the end of the period, we were supposed to spot 90% of tamperings with 0 false positives, and I think everyone managed it.
We had no blink comparators, just a 10 power jewellers' loupe and a known-good seal for comparison.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.