Kuracon 2018 Tamper Evident Bypass Workshop

Mos and Boo Conferences, Tamper Evident Leave a Comment

At Kiwicon 2038AD ????a kids track was held called Kuracon and we were asked to hold a tamper evident bypass workshop. In the workshop we went through a few different types of tamper evident devices and explained how to bypass them. This included:

  • Tamper evident security labels
  • Tamper evident security tape
  • Standard paper envelopes
  • Plastic shipping satchels
  • Zip tie handcuffs

We had a demonstration first and then the participants were given a few different envelopes, tamper evident labels and zip ties to try to bypass. We helped the kids (and a few adults too) but soon they got the hang of it and had no problem bypassing them all by themselves. There were five different types of tamper evident security labels, including both non-transfer labels and total-transfer labels, and we had three different types of security tape as well, all different difficulties.

Practicing our talk backstage in the green room before our workshop

Tamper Evident Security Labels

What you will need:

  • Tamper evident labels – from eBay or companies like Tracecare (see below)
  • Shellite or Isopropyl alcohol – from hardware
  • Syringes – chemist or needle exchanges are free

We had a few hiccups with getting our tamper evident labels ready in New Zealand and didn’t think they would make it on time so mum scrambled and managed to find someone in Auckland that was only about 100 metres from our hotel. We got the labels from Warren Cornor at Tracecare www.tracecare.co.nz. Warren was amazing and even gave us labels, security tape and pull tight seals for free for our workshop ???? If you need tamper evident labels, tape or other tamper evident devices, please go and see Warren.

Labels and tape supplied by Tracecare

Warren was pretty sure we would have problems bypassing some of these security labels and security tape. He even mentioned we should apply them and leave them for hours so the adhesive would set, making it a lot harder. We stuck some on and left them overnight just to be sure and tested in the green room before our workshop and sorry Warren, we had all the labels off in a few seconds, including the tape ????

With the labels we removed them with a syringe filled with a chemical called Shellite. It sounds dangerous but we had no one stab themselves with a needle which was good. Shellite is the name in Australia but probably has different names if you are in a different country. You can also use Isopropyl Alcohol if you don’t have Shellite as it works the same. When you apply the Shellite it softens the glue so the label can be removed without ripping it or leaving markings on the surface it was attached to. Once dry the glue goes back to being sticky so you can put the sticker back on as if you had never been there. Sneaky!

Tamper Evident Security Tape

What you will need:

  • Security tape – from eBay or companies like Tracecare
  • Shellite or Isopropyl alcohol – from hardware
  • Syringes – chemist or needle exchanges are free

At our workshop we had three different types of security tape. This was great as we were still waiting on the tape we ordered months ago that never came for our OzLockCon talk! We had a see-through red security tape, a big orange roll of security tape and a small red one as well. The orange one and the big red one were pretty easy for most people to remove, but the small red one was a bit hard for most. We used Shellite for the tape, same as the labels.

Testing backstage before the workshop

Envelopes and Satchels

What you will need:

  • Paper envelopes – from post office or supermarket
  • Plastic satchels – cheap from Officeworks
  • Hair dryer of heat gun
  • Tweezers

We also showed them how to open envelopes to see what is inside and then close them back up again without anyone knowing. For this we used a hair dryer which softens the glue so you can peel the envelope open. At home we use a heat gun which is a lot quicker but the hairdryer works fine and was safer as it isn’t as hot. Everyone started to get the hang of this really easily. One thing with the plastic satchels you can end up with lots of sticky glue on your fingers. Once you use the hair dryer and melt the glue and the flap on the satchel starts to come up, you need something to hold it up with otherwise you get really sticky fingers. We advise tweezers for this.

Zip Tie Hand Cuffs 

What you will need:

  • Zip tie handcuffs – eBay or The Zippy Tie Man (see below)
  • Shim – most lock picks will work fine

And the last thing we did in our workshop was teach how to get out of zip tie hand cuffs. For this we had a mini version of zip tie handcuffs which are actually for holding hoses in place. We found them online before the conference. The smallest ones were safer for the workshop as you could practice on them but not fit them over your wrists so we didn’t have to worry about someone zip tying themselves and not being able to get out (big shout out to thosetwopeople at Bsides CBR 2018). We bought the 12.7mm x 330mm versions for the workshop. These are big enough to practice your technique on but too small to fit even a kids wrist in. We got them from the Zippy Tie Man online.

With a normal pair of zip tie handcuffs the locking mechanism is on the centre bit but with these small pair you put the pick on the inside of the loop near your skin so be careful not to stab yourself with the shim or lock pick. Once people got used to the small cuffs they tried the big zip tie hand cuffs and could have a go at locking themselves up and escaping from them. Most people got through the small zip tie hand cuffs but we’re not sure how many tried the big ones. We were so busy helping everyone out that we only saw one or two people try and bypass the big ones. But thats ok.

What was really cool about the workshop is we got fitted with these microphones that attached to our ears so we had our hands free for the demonstrations. I don’t know the name of the man who helped us with this but thank you, you were awesome!

We had a few people contact us on Twitter asking about the workshop so they could run their own so we hope this article gives you enough information. If there is anything else you need to know or if you have any questions, please leave a comment below or you can hit us up on Twitter!

Thank you to everyone who attended our workshop. You made the workshop lots of fun for us ????

Mos aka MrOldSkinny, loves to hack things together whether it be hardware, software or a combination of both! When he isn’t doing crazy hacks you will find him picking locks, tampering with tamper-proof devices, and finding weaknesses in security controls. All the cybers will be his!

Boo has a passion for bypassing tamper evident devices, having first got her tiny 6 year old hands on them at BSides Canberra in 2017. When she isn't bypassing tamper evident devices or lock picking, she can be found writing code, programming her robot, performing gymnastics manoeuvres or taking other children down in the MMA dojo.

Leave a Reply

Your email address will not be published.