It’s been a while since we put up some new content but we have been busy working on a whole bunch of new bypasses ready for 2021. In this article, we are talking about bolt seals. We have come up with a few different methods of attacking bolt seals over the last couple of months and will be posting articles and videos of each technique over the coming weeks.
Today’s article is all about what we call the spin attack and is one of the oldest methods for bypassing this type of seal. As always we have made a YouTube video with a live demo of the attack. This article has a lot of info about making a custom tool that isn’t in the video but if you just want to see the attack, jump to the video at the end.
What Are Bolt Seals?
Bolt seals are a type of tamper evident security seal. Bolt seals are commonly used on shipping containers as a method to identify if someone has tried to access the container. They slot through the handle and a bracket attached to the door so the handle can’t be opened. Its not a lock. If someone wants to get in they can just cut the seal. The bolt seal is there so you can tell if someone has been into the container. Thieves might want to steal goods from inside, or someone else might want to get in there to hide illegal things and smuggle them across borders or into a country.
Bolt seals are made of hardened steel, usually covered in plastic and are very tough.When you want to open the protected shipping container, the bolt seal has to be cut off with bolt cutters and is destroyed. It is not designed to come apart and be reused.
How do Bolt Seals Work?
All bolt seals basically work the same way. There are two pieces that come stuck together and you just snap them apart when you are ready to use them.
The first piece is the main shaft which is inserted through the handle it is protecting. Note there is a small groove on the end near the metal tip.
The second piece is the head. Inside the head is a small metal pin that snaps over the end of the shaft and locks into that little groove. Once it’s in the groove you cant get it back out. Here we used our endoscope to look inside the head. You can see the pin in there, and the head of the shaft goes between these two sides and locks in.
Once together, there isn’t much clearance between the shaft and the head so there’s no real way to shim it.
Here are some close-ups of the bolt seal in action so you can get a better look at the pin and how it attaches to the steel shaft. Here we have removed the pin from inside the head so you can see it clearly.
In the left picture we have the pin separated from the bolt. On the right, the bolt has been inserted into the pin locking the seal in place. As you can see it’s locked into the groove and almost impossible to pull apart.
Controls to Protect Bolt Seals from Spinning Attacks
The attack we are performing today involves spinning the bolt seal REALLY fast which allows the bolt to slip out of the locking pin and the bolt seal will release. It can then be reused.
Over the years companies have changed their designs and come up with different ways to defend against attacks, the spin attack being one of them.
This still works on a lot of bolt seals, like the ones in this demo which we only bought a few weeks ago, but high-security bolt seals have extra controls, like oval-shaped shafts or interlocking plastic parts which break if the seal is spun. Here you can see an anti-spin bolt. The plastic parts aren’t round, but rather square, octagonal or another shape so they interlock. If you try spinning these it will tear the plastic apart.
The Spin Attack
We first heard about this attack years ago when we went to our first security conferences. There was always a bolt seal attached to a chain as one of the challenges in the Tamper Evident Challenge competitions. We heard a lot of people say it could be spun off but never saw anyone do it. Here’s one of the challenges from the OzSecCon 2018 Tamper Evident Challange. A bolt seal joining the ends of the metal chain. The challenge was to undo the bolt, release the chain, then do the bolt back up without leaving any evidence.
We scoured the Internet, found lots of conference talks that mentioned spinning but again, none of these talks had a demo of the attack. We were starting to wonder if it was an old wives tale or just a theory but we found plenty of bolt seals that had designs to stop this type of attack so it must be true.
And then we finally found proof!!! We found a low-quality video on YouTube of two guys in a hotel room at Defcon 19 back in 2011 but its hard to see what they are using on their drill. That’s 10 years ago and there’s been nothing since? Take a look at the link if you want to see the original attack cause…. hacker history ???? We can’t wait to have our first trip to Defcon!!!
So we started looking into the attack and we think we found out why it’s been so long. It’s HARD to do and needs a custom tool.
They used a power drill to do the spinning but you can’t fit a bolt seal into a power drill chuck. The smallest bolt seal head is around 18mm and you cant get handheld chucks that big! Even if you could, there would be issues holding it. More info below.
Making our Own Custom Bolt Seal Bypass Tool
So we looked everywhere for bigger chucks, some sort of attachment, or just something we could use. Nothing. Maybe we could use a drill press or a metal work lathe? But we dismissed this idea because even if it worked it wouldn’t be a usable attack. Are you really going to drag a metalwork lathe onto a cargo ship to spin off a bolt seal? ????
Then we suddenly thought, what if we jammed it in a wrench socket? We found one that fit nicely but of course, a soon as you tug on it it just slips out.
We needed a way to hold the bolt seal when we pulled on it. Maybe some type of adjustable socket? Do these even exist? Googling and yes… they actually exist. So we found one that had a maximum size of 19 millimetres. Perfect!!! We ordered it from eBay and waited.
It finally arrived and we tested. Of course as soon as we pulled on the drill the socket detached from the socket adapter. Ok… we needed to somehow get that to stay connected. We got dad to get out his welder and weld the two pieces together. Yes this is some pretty sketchy welding here but dad hasn’t welded in years and he just went straight at it with no warm-up or practice. It did the trick though!
So it was all looking good but then as we pulled on it, the bolt seal slipped out of the socket. The socket adapter welding worked but now it was another problem. No matter how hard we tightened it, once spinning it pulled out. Probably to be expected as it’s made for turning nuts, not pulling a nut off. You can see in the photo above, the walls of the pins that hold the bolt seal are very smooth. This against hard ABS plastic was just way too slippery.
We were starting to wonder if this was ever going to work. Does spinning even work? So we decided to rig up a REALLY dodgy test just to see if the spin attack works. We took some wire and wrapped it around the bolt seal, under the socket and around the shaft. We figured this would hold the bolt seal in place but probably scratch it up pretty bad. We weren’t worried as we just wanted to see if it would work.
YES!!! It worked!!!
So now all we had to do was modify the tool to hold onto the bolt seal. We got dad to do some mods for us. He took the tool apart, took out the pins and cut a small channel in each. You can see here the original pin on the top and the modified pin on the bottom. The base of the bolt seal would fit in this groove and hopefully hold onto it.
And here is the finished tool wrapped around the tail end of the bolt seal. You can see the pins now go over the top of the bolt seal and stop it from slipping out.
Testing Time!!!! We put it in the vice, started spinning and YES!!!! Out it came. Our custom bolt seal bypass tool was working!!!
Bolt Seal Spin Attack Demo
Ready for a demo of the attack? Here it is! Along with a bunch of additional info but if you check the description for the video, we added video chapters so you can jump straight to the attack.
As you can see, all that’s involved is putting one end of the bolt seal in our drill head and the other in a vice. You could perform this attack with the seal attached to a shipping container pretty easily if you have a second person holding the end in multi grips.
All you do is get the drill up to speed then pull back slowly and POP… it’s off and you’re in!!!
Can You Tell if the Bolt Seal Has Been Tampered With?
The good thing about this attack is it doesn’t destroy the pin inside so once you are done you can pop the bolt back together. We found that spinning it off a second time its a lot easier so the pin must have been weakened a bit but it’s still way too strong to pull off by hand so won’t be detected.
Final question you probably have is can you tell this attack has been performed? Short answer is no, if you do a few little cleanup jobs.
If you look at the tip you can see it has some marks, but this isn’t an issue. There’s no way to examine the tip when the bolt seal is joined without carefully cutting the head open and then forensically examining it and no one is going to do that. If they are that paranoid they would use a different type of security control.
You can see here on the plastic near the tip there’s some friction markings. These are easily cleaned up with some wet and dry sandpaper. Start courser and work down to really fine, finally buffing with acrylic buffer or similar to get that ABS shine back.
The other places that could give away there has been tampering are the ends put in the vice and the tool. We wrapped some electrical tape around the two ends to protect them. This works and there are no marks on the plastic.
Also, remember some marks will be normal. Actually, a lot of marks are probably normal. Its plastic, on a shipping container being hauled around, out in the weather, moving up and down in the door lock hole so it would be pretty scratched when it gets to its destination. Cleaning it up too much might actually make it look more tampered with.
We hope you have enjoyed this article and it encourages you to go make your own hopefully better tools for bypassing bolt seals. If you do, or even if you copy this one, please let us know all about it in the comments or @ us on Twitter.
If you want to make your own, the same as this one, here are the things you will need and links to where we got them from. You can buy from wherever. These are Australian suppliers, so might be better to pick suppliers in your own country. We are just putting them here so it’s easy to see what they are.
- Adjustable Socket 19mm – eBay
- 3/8″ Socket Adaptor – Bunnings
- Welder – to weld socket and adaptor together
- Dremel and Small Metal File – to modify the pins in the socket
- Power Drill – Something with a bit of power. A cordless drill probably won’t work
- Bench Vice – to hold the other end of the bolt seal
Good luck!!!
0 Comments