Following on from our last post where we bypassed a tamper evident fixed length seal, we thought we would show you an easy bypass for a wire cable seal. You saw this seal briefly in our last video.
We first worked out how to bypass this seal back at BSides 2018. We made a few assumptions on how it worked inside and found out if you used a needle you could slide the cable back over it. Before writing this article and making our bypass video, we did a whole lot of research and couldn’t find anything, or even pictures, on how these seals worked inside. If you look into the channel in the body before you insert the wire you can see a small barbed wheel. We assumed the wheel was fixed in there and it was made so it only turned one way. We decided to cut one open and see how it worked and were we surprised. It was NOTHING like we expected.
So here is an amazing picture for you showing the inside of a wire cable seal!
How a Wire Cable Seal Works
Before we get into how this works, you might want to know what a cable seal actually is.
A wire cable seal isn’t fixed length like the last one we bypassed. It’s what is called a variable-length seal. So it’s just like a zip tie really. You put on end into the locking mechanism and pull it through. You can leave it loose or pull it really tight around an object. It just depends on what you are trying to do with it.
The main thing to realise is once the cable goes into the body, you cant pull it back out. The cable only goes one way. And unlike the fixed length seal that was plastic and you could break off with your hand, if you want to remove this one you need cutters to cut the wire cable.
You will find a few different types of wire cable seal but the main difference between them is they have different thickness cable so they have different breaking strengths.
The cable is usually made of braided aircraft cable. This makes it very strong and if you cut it, it will splay out making it pretty much impossible to rejoin without looking like it’s been tampered with.
So if you were thinking of cutting it and feeding it back into the body, it’s probably not going to work.
If you want an example of how we know it splays out, here’s a funny story for you.
Back at BSides Canberra 2018, a couple of people cable sealed their own wrists before finding out if they could bypass the seals. No one knew how to bypass this type of seal. No one there had cutters either. This was before we had our hack bag. If we had it then we could have saved them!!! All there was at the conference were some small metal files used for key impressioning. They spent two whole days filing themselves out. No idea how they slept in these. Anyway… here is a picture ????
Now there are warnings signs up at security conferences since then so it hopefully doesn’t happen again.
If you look at the cable seal body, they are usually aluminium and have serial numbers on them. This is so you cant just cut the seal and replace it with another one of the same type. That would be the easiest bypass ever!
In the body, there is a hole where one end of the cable is attached permanently. You will also notice there is another piece of metal inserted in the middle of the body. This is the locking mechanism for the cable. You will see there is a second hole that runs along the edge of this metal insert. This is where the cable gets fed into when you want to lock the seal. If you look in the hole you can see the top of the little wheel we talked about earlier.
The locking mechanism is permanently attached using different methods. Some are pinched in there by having the cable seal body crushed or crimped onto it. Others are held with rivets. One attack would be to pull this piece of metal out, which would let you remove the cable, but in all cases we have seen you would have to destroy or at least severely damage the body which wouldn’t hold up to tamper evident inspection.
Inside a Wire Cable Seal
Inside the cable seal is pretty cool and wasn’t what we expected.
Looking at the centre piece, you can see this little barbed wheel next to a piece of spring steel. When you push the wire in, it slides along the wheel but cause it is barbed and there isnt much space in the seal body, the wheel gets pushed down the hill and against this spring. As the spring compresses, it makes more space for the wheel and room for the cable to slide past.
When you try and remove the wire by pulling backwards, the barbs grip the wheel pulling it up the hill. This jams the wheel against the underside of the wire, which gets jammed against the roof of the seal body so it cant slide out. Pretty clever!
To bypass the seal we need to make sure the wheel cant roll back uphill. Luckily the little wheel has a small channel to let the cable slide over it.
And guess what fits perfectly into this channel? A needle!!! Needles have soooooo many uses in tamper evident bypassing!!! ????
To bypass the seal, we slide a needle along this channel. This pushes the wheel down into the spring and makes a smooth bridge for the wire to slide over. This means the wheel won’t grab the wire and get pulled back up the hill jamming the wire.
All you have to do is slide the needle in under the cable. It needs to be from the side you slid the cable in so the cable slides out along the needle. When you put the needle in, you need to feel for the wheel and the little channel. It’s really easy to miss the channel and if you do miss it wont work. It can take a few goes as the needle often slides out to the side as you pull the cable out but after a few goes the cable is fully out and you’ve bypassed the seal.
You can now open whatever it was sealing and then put it back and no one will know. Here is a video that tells you all about it and also shows a demo of me bypassing the seal with the needle.
Just a note. This attack won’t work on all cable seals. It works well on these small ones cause of the size of the wheel and the gap between the body and cable. Other seals don’t have much gap and you cant get a needle in. Also, this is the only wire cable seal we have cut open so others may have a different locking mechanism.
We will be ordering a bunch of test seals soon so will make another video on how to bypass those ones, once we work out the right techniques.
Another Bypass For This Seal We Are Working On
One thing that came up in Twitter after we posted our video, our friend Topy asked what types of metal all the parts were. Thats when we thought MAGNET!!!! We tested the pieces and all the parts we think are aluminium except the little wheel and the cable. So we have ordered a big magnet to test with and see if we can pull the wheel down into the spring away from the cable, so stay tuned!!!
We would love to hear from you in the comments so if you have any comments or have any ideas for testing wire cable seals, let us know.
Until then, we will be back soon with another tamper evident bypass!
very interested