Download - How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty

HOW TO STEAL A NUCLEAR WARHEADWITHOUT VOIDING YOUR XBOX WARRANTY

An Introduction toTamper-Evident Devices,

Applications, Design, & Circumvention

Jamie Schwettmann & Eric Michaud

The Way Things Will Go• What are Tamper-Evident Devices &

Why Should I care?

• The Proof is in the, uhm, …what Proof?

• Types of Devices:– Adhesives, Inks, and Sealants– Wraps, Seals, Physical Barriers– Optics, Electronics, and Alarms– Other Unique Devices

• Tag, You’re it! Attacks and Bypasses

• Seal the Deal! Risks and Implications of Tamper, from Real-life Scenarios

J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011

What are Tamper-Evident Devices and Why Should I Care?

What are Tamper-Evident Devices?

Move along.

These are not the tags and seals you’re looking for.



Definition:

Any tag, seal, alarm or other indicator which can be employed to evidence unauthorized intrusion or alteration to a container, room, building, device housing, or other material is a TAMPER-EVIDENT DEVICE.

Materials secured by such devices are often said to be “sealed”



Humans learned tamper-evidencing from Nature

Probably Safe to Eat

Probably NOT SAFE to Eat


PH

OTO

S:

JA

MIE

SC

HW

ETTM

AN

N

At least 7,000 years ago, intricate stone carvings were pressed into clay to seal jars and later, writing tablets.



PH

OTO

: U

RIE

L_1

99

8

Why Should I Care?

• Everybody’s doing it…– And so are YOU.

• Avoid lawsuits and recalls

• Shrink & fraud reduction• Quality assurance

• Don’t trust the messenger… check for tampering.


The Proof is in the… … uhm, what Proof?

Inspection Methods andEvidence

The Proof: Inspection Methods

Casual Inspection (duh, it’s broken)

NO SPECIAL

TOOLS

REQUIRED!!!


PH

OTO

: JA

MIE

SC

HW

ETTM

AN

N

The Proof: Inspection MethodsBlink

Comparison

One of these things is not like the others… J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan

2011

PH

OTO

: JA

MIE

SC

HW

ETTM

AN

N

The Proof: Inspection Methods

Traps and Alarms

Designed to automate notification of tampering


The Proof: Inspection MethodsRigorous Scientific Examination

• Materials Analysis• Xray, UV, and Microscopy• Circuit Verification• Chemical Testing• Checksums and Hashing


Types of Devices

Adhesives, Inks, & Sealants: Characterization

• Adhesives– Bonds to surface– Overt removal damages

surface or film barrier

• Inks, Marks, & Stamps– Visually broken by

tampering

• Sealants– Similar to adhesive– No film or other barrier

necessary J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan

2011

PH

OTO

: JO

E S

HLA

BO

TN

IK

Adhesives, Inks, & Sealants: Circumvention

• Thermal Stressing (best)– Heat: hair dryer or heat gun– Cold: freezer or dry ice

• Solvents (may be messy)– Alcohols– Acids– Petrochemicals– Mineral Oil– Water or Steam

• Needles & Razor BladesJ. Schwettmann & E. Michaud, BlackHat DC, 18 Jan

2011

Wraps, Crimps, Physical Barriers: CharacterizationAll require material rupture to evidence

tampering.

• Wraps:– Cover or surround container or device– Sealed with heat, adhesive, or

mechanically crimped– Plastic, paper, or foil films

• Crimps:– Mechanical or heat-pressed seal– Metal, plastic, paper, foil

• Other Physical Barriers:– Wire wraps, zip ties, cup seals, pull-tabs,

break-away caps, perforated films, tapes, blisterpacks, band seals, bolt locks, plastic padlocks, dangle-tabs, rivets, etc. J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan

2011

Wraps, Crimps, Physical Barriers: Circumvention

• Most require physical manipulation or modification, followed by reinstatement of seal

• Many can be shimmed

• Thermal Stress still helps

• Custom tools may be required


Optics, Electronics, Alarms: Characterization

Unifying feature: Sensors

• Optical Devices– Beam-break– Motion detection– Often trigger other events

• Electronic Devices– Any kind of switch or sensor

may be used– RFIDs!!! SERIOUSLY!?

• Alarms– Active alert of breach– Often connected to electronics

(not always)J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011

Optics, Electronics, Alarms: Circumvention

• Automation makes humans lazy => less examination may occur!

• Electronic devices have inherent sampling rates and trigger tolerance – events outside these won’t trigger

• Inline signal and alarm bypasses may be available

• Devices operating on a network may be susceptible to additional attacks

• Many are themselves tamper-evidenced with physical methods


Tag, You’re It!Attacks, Bypasses and Circumventions

Bypass of Wire Wraps

Classic Coke shimming methodRequires:RazorbladeCoke


PHO

TOS: G

AB

RIE

L LAW

REN

CE

Barriers: Bypassing Films and Stickers


Go a little MacGuyverFishing Line/Mint Dental FlossGoo Gone/Acetone/Similar SolventsHypodermic Needle Sewing NeedlesA steady and patient handHeat GunAttack the containers skip the Seals!

PHOTO: GABRIEL LAWRENCE

PH

OTO

: G

AB

RIE

L LA

WR

EN

CE

Barriers: Attacking Bolt Seals

Two methods:

1. Dissolve. Shim, or drill retaining ring, then replace

2. Cut head off, add screw and Loctite



Two methods:



Retaining Ring


1


Two methods:



Drill here

Retaining Ring


1


Two methods:



Cut as high as possible


2

Bypass Bolt Barrier Seals


• Polycarbonate Seals are prone to material removal

• Insert tool in hole on base with nail or chisel then spin plug till it releases.

• For Metal plugs make custom shim

To reseal press plug back in.

Bypass Bolt Barrier Seals


Sometimes it’s easier to attack the container

•Drill out the rivets•Take off a hinge•Cut a hole in the side

…and then repair it.

PH

OTO

: TH

OM

AS H

AW

K

Circumventing Cup SealsSimilar to removing a water

bottle cap…

Shape a stiff piece of metal into a hook, insert/twist/depress tangs and repeat


To reseal, reset tangs, then press cap back into place

Breakaway Tags/Padlocks

• Shimming and chiseling work well for these padlocks.

• Splitting down side then careful re-gluing works also

• Heat Gun to replace physical distress marks


Breakaway Tags/Padlocks

ChiselShimRe-glue

Insert Shims/Chisels at entrance, either reset

or glue.


PH

OTO

: TIM

LEW

ISN

M

Breakaway Plastic Bands

• Plastic Bands – Chisel the restricting tips– Heat Gun to reset color of

physical stress indicators

Spread Heat over physically

distressed areas


Insert chisel here and

chop!

Many Mechanisms simply beaten with bent pieces of metal

Bypassing Metal Band Seals


PH

OTO

: G

AB

RIE

L LA

WR

EN

CE

• Thermal Stressing– Hot air Gun to make

pliable– Canned Air to cause

shrinkage and removal then reheat to reapply

Wax Seals Defeats


PH

OTO

S:

GA

BR

IEL

LAW

REN

CE

PH

OTO

: JO

E S

HLA

BLO

TN

IK

Steaming still works!

Defeating Envelopes


but if it doesn’t, other solvents probably will!

Seal the Deal! Risks and Implications of Tamper:Real-World Scenarios

Scenario One: The XBox Tamper Seal

Easily removed unscathed with a hairdryer and

razor blade.


Scenario Two: Drug Tests Anyone?

Who relies on a clean test to keep their jobs and clearances?


• Remember the summer of 93?– It’s a long time ago, I know…– Rumors of Syringes in Pepsi cans – Turned out to be a hoax, but

severally harmed the image of Pepsi

• Your Assembly Process is part of the Tamper-Evident system also!

• Even though it was hoaxed by many copy-cats, Pepsi had to release ads and the FDA had to get involved.

Scenario Three: This Pepsi Stings


Potassium Cyanide is my drug of choice…

What happened? Deaths from Cyanide-laced Extra Strength Tylenol, 1982-1986

On some bottles, the seals had not been broken

Results:On October 5, 1982, Johnson & Johnson issued a nationwide

recall of Tylenol products; an estimated 31 million bottles were in circulation, with a retail value of over $100M.

Johnson & Johnson went from 38% of sales to 8%It did rebound after a year, …but not without the loss.

Scenario Four: Chicago Tylenol Murders


Scenario Four: Chicago Tylenol Murders


• Unsolved mystery– No killer has been found… the case is still open– J&J claims the bottles were tampered on the shelves– No evidence of post-production bottle-tampering was found– Monsanto, also in Illinois, filed patent 4439453 for

tableting acetaminophen in Sep 1982, just a week before the Tylenol murders began…

• A change to the industry– Federal Anti-Tampering Act (1983)– Capsules replaced by tablets

…industry-wide

http://www.patentgenius.com/patent/4439453.html

• The IAEA details transportation requirements and does inspections.– Represents the UN and the Security

Council– Lost Source Incidences– Rogue States – DPRK Anyone?– Material Sold to Non-Security Council

countries

Scenario Five: Now where did I leave that fissile material?


PH

OTO

: A

NL

VAT

Conclusions…

Conclusion

If possible,

avoidattacking the sealdirectly.


Conclusion


IMA

GE:

TSH

IRTH

ELL

.CO

M

Additional Resources

Your local arts, crafts, and hardware store!!

Tamper-Evident Devices:Journal of Physical Security

(Argonne National Laboratory Vulnerability Assessment Team)

Insecurity of Drug Testing:Journal of Drug Issues

Freight Container Mechanical Seals: ISO/PAS 17712 (2010)


For a Seal-Clubbing Good Time Call

Jamie SchwettmannEm: [email protected]: brink_0x3f

Eric MichaudEm: [email protected]: EricMichaud