This is the first of our articles looking at how to bypass a tamper evident bag, also called a security satchel. We first came across these in one of the OzSecCon Tamper Evident Challenges. People really struggle with these as most attacks target the tamper evident strip and they are REALLY hard to remove without damaging.
Above we have a high-security tamper-evident bag. These bags have a bunch of methods to spot if the bag has been tampered with. Attacking the high-security ones, like this level 4 bag below, can be really difficult as they have a lot of different controls that make bypassing hard.
Sometimes the best way to attack a tamper-evident device isn’t to try and beat the controls but just swap the whole thing out for a new one. If you can do this with a tamper evident bag, you can open the bag, get access to what’s inside, then seal it back up in a new bag without anyone knowing.
But you are probably wondering how you can do this with a tamper-evident bag that’s been designed to stop it from being swapped? That’s what this article is all about!!!
What is a Tamper Evident Bag?
Before we start I want to tell you a bit about tamper evident security bags and satchels so you know what they are, what controls have been designed into them, and why it’s difficult to bypass the high-security ones. Understanding how something works is the first step to finding a weakness.
Security satchels, like the one above, are basically a plastic bag used to transport sensitive information, money or some other valuable item. While they won’t stop someone just ripping the bag apart and stealing the contents, they will detect if someone has opened the bag and accessed the booty inside. Think of someone that transports money opening the bag and taking a few dollars out of every bag, or someone viewing or copying some secret information that’s being transported.
Security satchels have five different security levels rated from zero through to four, zero being the least secure and four being the highest security bag.
- Level zero is just the standard plastic envelope you get at the post office that has some hot melt glue to hold it closed.
- Level one has a stronger adhesive that has a graphic on it. Tampering with the seal will distort the graphic. You don’t see these very often.
- Level two is your typical tamper-evident bag. It has a strong adhesive with a hidden graphic so when you try and open it you get the word VOID or similar across the seal. Cold attacks like using freon don’t work on these.
- Level three is a level two bag but the ink used for the hidden graphic is sensitive to water and other solvents. You will usually see the ink bleed and get destroyed if you use any chemical on it making it obvious it was tampered with.
- Level four is the highest security. It takes the level three bag and adds an anti-heat strip. There is usually a see-through window across the seal and if you use heat on it it turns black. Level fours are pretty nasty to bypass with direct attacks but we have another post and video coming soon so watch out for it!
Here is a video we made showing what the heat strip on a Level 4 tamper evident bag looks like when it is hit with a heat gun.
This is a common attack used to soften the glue to open the bag. You can see us use a heat attack on a level 3 bag in our 4 Layer Tamper Evident Challenge Box video.
How to Stop Someone Swapping Out a Tamper Evident Bag
One of the easiest ways to bypass any tamper-evident seal is just to swap it for another seal that looks exactly the same. Of course, security seal designers put controls in place to stop these types of attacks.
The usual way is with serial numbers, barcodes or both. In this example, we are looking at some level four bags that use barcodes and serial numbers. Below we have a new bag. There is a barcode and serial number on the front (bottom in picture) and the same barcode and serial number are on a tear-away strip on the top of the bag (top of picture).
The sender can keep this strip to verify the number with the receiver so they know the bag hasn’t been swapped.
You are probably thinking this is some really difficult hack but it’s actually really simple and works on every bag we have tried so far. All you need to do is completely remove the barcode and serial number from a new unused bag, then print a new one that looks exactly the same on the bag. You can then just swap out the original without anyone knowing. Sounds simple, doesn’t it?
We have a video at the end of this post showing how we perform this attack but just remember, this is a proof of concept to show this type of attack works. It’s not perfect but that’s only because we couldn’t spend thousands of dollars on the high-quality printer needed to make it perfect. A real attacker like a spy or professional criminal could easily afford one and perfect this attack.
Removing the Barcode and Serial Number
First up we need to get rid of the original barcode and serial number.
There are a tonne of solvents out there that work and remove the ink. Some leave streaks and take more work to remove and some are perfect. Here’s a list of solvents that we have tested and know work.
- Acetone
- Isopropyl Alcohol
- Methyl Ethyl Ketone (MEK)
- Shellite/Naptha
- Xylene
We tried out two new solvents this time that we hadn’t used before: Methyl Ethyl Ketone, also called MEK, and Xylene. These both worked amazingly but our favourite was MEK. It’s also called butanone if you are looking for it.
And guess what the easiest and cheapest way is to get it? Go to the hardware and buy PVC priming fluid like this one. It’s a couple of dollars for more than you will ever need 😀
All you do is dip a cotton bud or paper towel in the solvent and just wipe it over the barcode and serial number.
Make sure you are VERY careful because it will take off any ink on the satchel, not just the bit you want to remove. There is a lot of writing on the bags with warnings, instructions and places to put delivery information. The solvent will take any of this writing or lines off as well.
Once you have cleaned it off you are ready to put the new serial number and barcode on.
Printing a New Barcode and Serial Number
For this attack, we had to go and buy a special inkjet printer. We couldn’t really put the bag through our laser printer so we bought a handheld printer that you can just roll across the bag.
We did a bunch of research and the really good ones are over $1000 and there was no way we could spend that just to test one attack. Well, we would have if we had any money or a job but dad wouldn’t buy one 😛
We searched around and found a cheaper one that had been made on Kickstarter a while ago called the Selpic S1. It has a half-inch print head which is just right for printing the barcodes and text we needed.
First step was to work out what type of font was being used on the bag. We took a photo of the font and uploaded it to WhatTheFont which is a website that helps you identify fonts. It came back and gave us dozens of similar fonts. We went through them all looking for the one that matched the closest, but like most fonts this site identifies, it costs money to download 🙁
Good thing is there is another site called WhatFontIs that will tell you alternative fonts you can download for free. We found a matching font and downloaded and installed the font, tested it in a word processor and this is what we got. It’s not 100% but pretty close and good enough for this attack. The styling is fine but the characters are a bit too fat in our version. Of course, if you were trying to make this attack perfect you would spend more time getting the exact font or pay for the proper one that matches perfectly.
Original Serial Number
Using free Skratch Punk font
Next up we needed a barcode that matches. If you scan the barcode with a barcode reader its just the serial number encoded as a barcode so there isnt any secret info or anything hard about it. Again we found a website that makes barcodes called Barcode Generator. By default it makes QR Codes but you just change the dropdown on the site to “Code 128 (Standard)” to make a barcode. We put in our serial number and made the code. It puts text underneath but you just crop the image to remove it. We ended up with this 🙂
Next we uploaded the font and barcode to the app that came with the printer and got to work testing. Its an iOS app and pretty limited but worked quite well for this simple print out.
It took us a while to get the sizes exactly the same. We did a lot of test prints on paper, measuring the print and comparing to the bag. Once we had it perfected on some paper we moved to the bags.
When printing we have to make two passes as the print head is only a half-inch so we cant print both parts at once. There is a newer version of the printer called an S1+ that has a 1″ print head so you could do it all in one go but its more expensive.
Even with this cheap printer, unless the person sending the package had taken a close up photo of the barcode and sent it to the receiver, you wouldn’t be able to tell someone had tampered with the bag and accessed the contents.
We have a few hundred bags and most have lines or issues with the printing so you don’t even need it to be perfect. Here is an example of the issues with a lot of the printing.
Demo of the Serial Number Bypass Attack
And finally here is a demo of the whole attack in action.
This is a really hard attack to stop. We have seen some extra controls used on SCEC government-certified bags. They put a serial number in the tamper evident strip so you’d need to replace that as well. Not so easy. We are currently looking at ways to defeat this extra control, so stay tuned.
We hope you liked this bypass. Any questions leave them in the comments here or on our YouTube channel. Now off to work on our next tamper evident bypass!!!!
0 Comments