How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty
-
Upload
michauderic -
Category
Self Improvement
-
view
9.377 -
download
4
description
Transcript of How To Steal A Nuclear Warhead, Without Voiding Your XBox Warranty
HOW TO STEAL A NUCLEAR WARHEADWITHOUT VOIDING YOUR XBOX WARRANTY
An Introduction toTamper-Evident Devices,
Applications, Design, & Circumvention
Jamie Schwettmann & Eric Michaud
The Way Things Will Go• What are Tamper-Evident Devices &
Why Should I care?
• The Proof is in the, uhm, …what Proof?
• Types of Devices:– Adhesives, Inks, and Sealants– Wraps, Seals, Physical Barriers– Optics, Electronics, and Alarms– Other Unique Devices
• Tag, You’re it! Attacks and Bypasses
• Seal the Deal! Risks and Implications of Tamper, from Real-life Scenarios
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
What are Tamper-Evident Devices and Why Should I Care?
What are Tamper-Evident Devices?
Move along.
These are not the tags and seals you’re looking for.
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
What are Tamper-Evident Devices?
Definition:
Any tag, seal, alarm or other indicator which can be employed to evidence unauthorized intrusion or alteration to a container, room, building, device housing, or other material is a TAMPER-EVIDENT DEVICE.
Materials secured by such devices are often said to be “sealed”
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
What are Tamper-Evident Devices?
Humans learned tamper-evidencing from Nature
Probably Safe to Eat
Probably NOT SAFE to Eat
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PH
OTO
S:
JA
MIE
SC
HW
ETTM
AN
N
At least 7,000 years ago, intricate stone carvings were pressed into clay to seal jars and later, writing tablets.
What are Tamper-Evident Devices?
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PH
OTO
: U
RIE
L_1
99
8
Why Should I Care?
• Everybody’s doing it…– And so are YOU.
• Avoid lawsuits and recalls
• Shrink & fraud reduction• Quality assurance
• Don’t trust the messenger… check for tampering.
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
The Proof is in the… … uhm, what Proof?
Inspection Methods andEvidence
The Proof: Inspection Methods
Casual Inspection (duh, it’s broken)
NO SPECIAL
TOOLS
REQUIRED!!!
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PH
OTO
: JA
MIE
SC
HW
ETTM
AN
N
The Proof: Inspection MethodsBlink
Comparison
One of these things is not like the others… J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan
2011
PH
OTO
: JA
MIE
SC
HW
ETTM
AN
N
The Proof: Inspection MethodsBlink
Comparison
One of these things is not like the others… J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan
2011
PH
OTO
: JA
MIE
SC
HW
ETTM
AN
N
The Proof: Inspection Methods
Traps and Alarms
Designed to automate notification of tampering
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
The Proof: Inspection MethodsRigorous Scientific Examination
• Materials Analysis• Xray, UV, and Microscopy• Circuit Verification• Chemical Testing• Checksums and Hashing
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Types of Devices
Adhesives, Inks, & Sealants: Characterization
• Adhesives– Bonds to surface– Overt removal damages
surface or film barrier
• Inks, Marks, & Stamps– Visually broken by
tampering
• Sealants– Similar to adhesive– No film or other barrier
necessary J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan
2011
PH
OTO
: JO
E S
HLA
BO
TN
IK
Adhesives, Inks, & Sealants: Circumvention
• Thermal Stressing (best)– Heat: hair dryer or heat gun– Cold: freezer or dry ice
• Solvents (may be messy)– Alcohols– Acids– Petrochemicals– Mineral Oil– Water or Steam
• Needles & Razor BladesJ. Schwettmann & E. Michaud, BlackHat DC, 18 Jan
2011
Wraps, Crimps, Physical Barriers: CharacterizationAll require material rupture to evidence
tampering.
• Wraps:– Cover or surround container or device– Sealed with heat, adhesive, or
mechanically crimped– Plastic, paper, or foil films
• Crimps:– Mechanical or heat-pressed seal– Metal, plastic, paper, foil
• Other Physical Barriers:– Wire wraps, zip ties, cup seals, pull-tabs,
break-away caps, perforated films, tapes, blisterpacks, band seals, bolt locks, plastic padlocks, dangle-tabs, rivets, etc. J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan
2011
Wraps, Crimps, Physical Barriers: Circumvention
• Most require physical manipulation or modification, followed by reinstatement of seal
• Many can be shimmed
• Thermal Stress still helps
• Custom tools may be required
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Optics, Electronics, Alarms: Characterization
Unifying feature: Sensors
• Optical Devices– Beam-break– Motion detection– Often trigger other events
• Electronic Devices– Any kind of switch or sensor
may be used– RFIDs!!! SERIOUSLY!?
• Alarms– Active alert of breach– Often connected to electronics
(not always)J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Optics, Electronics, Alarms: Circumvention
• Automation makes humans lazy => less examination may occur!
• Electronic devices have inherent sampling rates and trigger tolerance – events outside these won’t trigger
• Inline signal and alarm bypasses may be available
• Devices operating on a network may be susceptible to additional attacks
• Many are themselves tamper-evidenced with physical methods
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Tag, You’re It!Attacks, Bypasses and Circumventions
Bypass of Wire Wraps
Classic Coke shimming methodRequires:RazorbladeCoke
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PHO
TOS: G
AB
RIE
L LAW
REN
CE
Barriers: Bypassing Films and Stickers
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Go a little MacGuyverFishing Line/Mint Dental FlossGoo Gone/Acetone/Similar SolventsHypodermic Needle Sewing NeedlesA steady and patient handHeat GunAttack the containers skip the Seals!
PHOTO: GABRIEL LAWRENCE
PH
OTO
: G
AB
RIE
L LA
WR
EN
CE
Barriers: Attacking Bolt Seals
Two methods:
1. Dissolve. Shim, or drill retaining ring, then replace
2. Cut head off, add screw and Loctite
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Barriers: Attacking Bolt Seals
Two methods:
1. Dissolve. Shim, or drill retaining ring, then replace
2. Cut head off, add screw and Loctite
Retaining Ring
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
1
Barriers: Attacking Bolt Seals
Two methods:
1. Dissolve. Shim, or drill retaining ring, then replace
2. Cut head off, add screw and Loctite
Drill here
Retaining Ring
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
1
Barriers: Attacking Bolt Seals
Two methods:
1. Dissolve. Shim, or drill retaining ring, then replace
2. Cut head off, add screw and Loctite
Cut as high as possible
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
2
Bypass Bolt Barrier Seals
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
• Polycarbonate Seals are prone to material removal
• Insert tool in hole on base with nail or chisel then spin plug till it releases.
• For Metal plugs make custom shim
To reseal press plug back in.
Bypass Bolt Barrier Seals
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Sometimes it’s easier to attack the container
•Drill out the rivets•Take off a hinge•Cut a hole in the side
…and then repair it.
PH
OTO
: TH
OM
AS H
AW
K
Bypass Bolt Barrier Seals
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Sometimes it’s easier to attack the container
•Drill out the rivets•Take off a hinge•Cut a hole in the side
…and then repair it.
PH
OTO
: TH
OM
AS H
AW
K
Bypass Bolt Barrier Seals
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Sometimes it’s easier to attack the container
•Drill out the rivets•Take off a hinge•Cut a hole in the side
…and then repair it.
PH
OTO
: TH
OM
AS H
AW
K
Bypass Bolt Barrier Seals
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Sometimes it’s easier to attack the container
•Drill out the rivets•Take off a hinge•Cut a hole in the side
…and then repair it.
PH
OTO
: TH
OM
AS H
AW
K
Bypass Bolt Barrier Seals
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Sometimes it’s easier to attack the container
•Drill out the rivets•Take off a hinge•Cut a hole in the side
…and then repair it.
PH
OTO
: TH
OM
AS H
AW
K
Circumventing Cup SealsSimilar to removing a water
bottle cap…
Shape a stiff piece of metal into a hook, insert/twist/depress tangs and repeat
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
To reseal, reset tangs, then press cap back into place
Breakaway Tags/Padlocks
• Shimming and chiseling work well for these padlocks.
• Splitting down side then careful re-gluing works also
• Heat Gun to replace physical distress marks
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Breakaway Tags/Padlocks
ChiselShimRe-glue
Insert Shims/Chisels at entrance, either reset
or glue.
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PH
OTO
: TIM
LEW
ISN
M
Breakaway Plastic Bands
• Plastic Bands – Chisel the restricting tips– Heat Gun to reset color of
physical stress indicators
Spread Heat over physically
distressed areas
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Insert chisel here and
chop!
Many Mechanisms simply beaten with bent pieces of metal
Bypassing Metal Band Seals
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PH
OTO
: G
AB
RIE
L LA
WR
EN
CE
• Thermal Stressing– Hot air Gun to make
pliable– Canned Air to cause
shrinkage and removal then reheat to reapply
Wax Seals Defeats
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PH
OTO
S:
GA
BR
IEL
LAW
REN
CE
PH
OTO
: JO
E S
HLA
BLO
TN
IK
Steaming still works!
Defeating Envelopes
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
but if it doesn’t, other solvents probably will!
Seal the Deal! Risks and Implications of Tamper:Real-World Scenarios
Scenario One: The XBox Tamper Seal
Easily removed unscathed with a hairdryer and
razor blade.
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Scenario Two: Drug Tests Anyone?
Who relies on a clean test to keep their jobs and clearances?
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
• Remember the summer of 93?– It’s a long time ago, I know…– Rumors of Syringes in Pepsi cans – Turned out to be a hoax, but
severally harmed the image of Pepsi
• Your Assembly Process is part of the Tamper-Evident system also!
• Even though it was hoaxed by many copy-cats, Pepsi had to release ads and the FDA had to get involved.
Scenario Three: This Pepsi Stings
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Potassium Cyanide is my drug of choice…
What happened? Deaths from Cyanide-laced Extra Strength Tylenol, 1982-1986
On some bottles, the seals had not been broken
Results:On October 5, 1982, Johnson & Johnson issued a nationwide
recall of Tylenol products; an estimated 31 million bottles were in circulation, with a retail value of over $100M.
Johnson & Johnson went from 38% of sales to 8%It did rebound after a year, …but not without the loss.
Scenario Four: Chicago Tylenol Murders
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Scenario Four: Chicago Tylenol Murders
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
• Unsolved mystery– No killer has been found… the case is still open– J&J claims the bottles were tampered on the shelves– No evidence of post-production bottle-tampering was found– Monsanto, also in Illinois, filed patent 4439453 for
tableting acetaminophen in Sep 1982, just a week before the Tylenol murders began…
• A change to the industry– Federal Anti-Tampering Act (1983)– Capsules replaced by tablets
…industry-wide
• The IAEA details transportation requirements and does inspections.– Represents the UN and the Security
Council– Lost Source Incidences– Rogue States – DPRK Anyone?– Material Sold to Non-Security Council
countries
Scenario Five: Now where did I leave that fissile material?
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
PH
OTO
: A
NL
VAT
Conclusions…
Conclusion
If possible,
avoidattacking the sealdirectly.
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Conclusion
If possible,
avoidattacking the sealdirectly.
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
Conclusion
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
IMA
GE:
TSH
IRTH
ELL
.CO
M
Additional Resources
Your local arts, crafts, and hardware store!!
Tamper-Evident Devices:Journal of Physical Security
(Argonne National Laboratory Vulnerability Assessment Team)
Insecurity of Drug Testing:Journal of Drug Issues
Freight Container Mechanical Seals: ISO/PAS 17712 (2010)
J. Schwettmann & E. Michaud, BlackHat DC, 18 Jan 2011
For a Seal-Clubbing Good Time Call
Jamie SchwettmannEm: [email protected]: brink_0x3f
Eric MichaudEm: [email protected]: EricMichaud