OzSecCon 2018 Tamper Evident Bypass Talk

We presented on Tamper Evident bypasses on June 2nd at OzSecCon 2018. It was an amazing experience and were lucky enough to have our talk recorded.

If you are interested in our slide deck we have it here:

Mos and Boo OzSecCon 2018 Presentation Slides

and the transcript from out talk is underneath the YouTube video of our talk below. As part of our talk we also showed the video we created of our Tamper Evident lock box challenge so make sure you watch that too ????

We hope you enjoy it. If you have any questions, please contact us or just leave a comment so we know what you think!

Tamper Evident Bypasses Talk Transcript

Mos

Good afternoon everyone, my name is Connor, and this is my little sister Emily.

Boo

Hello everyone.

Mos

Today we are going to talk to you about tamper evident bypasses.

Boo

Connor and I first learnt about the sport of tamper resistance bypasses last February at BSides Canberra, and since then we have been experimenting, practicing and enjoying the hack.

Today we are going to share some of our experiences with you, bust a few myths and hopefully get you motivated to join the tamper competition being held at OzSecCon.

Mos

Tamper-evident seals are mechanisms put in place as a visible sign that tells someone whether their package or envelope has been tampered with. The packaging council of Australia defines tamper evidence as… you can just read the slide behind me.

Boo

Tamper evidence is not new and evidence of people protecting against tampering and theft has been dated back to 7,000 years.

One of the oldest tamper evident seals, which you will probably see in the tamper evident competition, being wax seals.

Mos

Today we are going to introduce you to the basics of tamper evident bypassing. Starting with labels.

There are five basic types of tamper evidence labels, these are:

• Non-transfer labels;
• Total transfer labels;
• Egg shell labels;
• Tamper evident security tape; and
• Security envelopes.

Non-transfer labels are self-adhesive labels that void themselves when removed. Non-transfer labels leave no markings on the surface that you remove them from. The clever thing about non-transfer labels is when you tamper with the sticker, the sticker gets destroyed so you can’t reuse it, but it doesn’t ruin the thing it was stuck to.

Boo

Unlike non-transfer labels, transfer labels leave the bottom part of the label behind showing some kind of void message. The label is destroyed when removed and the label can’t be re-used.

Mos

Egg shell labels aren’t like other tamper evident labels as they are designed to resist being removed. Egg shell labels rip very very easily when you try and tear them off with your bare hands.

Boo

Tamper Evident Security Tape looks like regular packaging tape but is not because when it is pulled off the tape voids itself leaving words on the box, just like a total-transfer label.

Security envelopes are designed to keep people out of your business and will show you when someone gets in your business. The security envelopes we tested ranged from glued down seals which were designed to rip the bag if you tried to open it – to total transfer labels seals.

Mos

Over the last few weeks we have been doing experiments with all these labels and different ways to remove them. This is what we found.

As you can see, the non-transfer and transfer labels can basically be removed by all three ways. The only catch, you can’t freeze paper, so if your label is on paper then you are likely to wreck the paper.

Boo

The egg-shell labels did not like the cold at all. They became super strong and I couldn’t even peel them off like normal.

Mos

We tested security envelopes as the security tape we ordered online never arrived.

The security tape on the envelopes was tricky. The better quality the tape the harder it was to remove. The best method we found was heat. But it was hard to find a good balance between using the heat to remove the label and not melting the plastic on the bags it was attached to. But the cheaper the bag the easier it was to tamper with. In some cases, the glue just dissolved under the heat.

Other times they seemed resilient against everything we threw at them.

In the end, a very low and slow application of heat seemed to work even with the most expensive bags. But it takes forever with the really good quality bags.

Boo

Some important points to take away:

• When using chemicals, use a syringe as it gives you control and you can make sure the chemicals are going where you want it to go.
• Isopropyl sometimes stained the paper. But in terms of effectiveness, I prefer shellite and Connor prefers Isopropyl.
• Also, when freezing the labels, we used an upside-down bottle of air. It is really effective, but you can’t be shy, you have to shoot that little guy real fast for the cold to work, otherwise you just end up leaving water everywhere and the label doesn’t move.

The next tamper evident seal we conquered were pad lock seals.

Mos

We have tested two very useful ways to get into pad lock seals. The first, to pick it with a lock pick or a shim. This works especially well when the pad lock seal is clear. But sometimes:

1. the pad lock seal is difficult
2. the pad lock seal is solid, so you can’t see yourself pick it, or
3. The pad lock seal is just made really well.

This is when you have to get a little creative.

Boo

We looked online and a few people suggested a fast melting process to dissolve the metal. This was salt water and a positive and negative charge from a battery touching the metal of the pad lock seal. So, we tried it, and in the process managed to break a myth, sort of. It did not work!!! They lied, seriously!!! There is a lot more to it than what anyone said!

Mos

The problem was, the metal on the pad lock seal, once we cut it, very slowly dissolved only the top of the pad lock seal. So, we got creative. With the help of dad, I supercharged the process using a charger, splitting the wire. I then connected the charge to the very bottom of the pad lock seal wire. We started with 6 volts, then 9 volts and stopped at 12 volts. We found there was not much difference between the 9 and 12 volts.

Here is the process in pictures.

Boo

The process worked. But remember, if you are going to try this at home, ask for the help of an adult and do not cut the wire when it is plugged into the wall, that would be dumb!

Mos

Once the metal is gone, simply replace the metal with a new piece which you would have prepared earlier, and no one will know what’s happened.

Boo

The benefits of dissolving the metal is that it is little effort to you and it does not mark the plastic, but the process does take a while so be prepared to wait around, or pick some locks while you wait.

Mos

Other pad lock seals you may come across have a thick wire that loops around back into the seal. The most effective way we have worked out to open these locks is to shimmy the internal mechanism, so the wire slides out. We have a video to show you, so don’t worry, it will become perfectly clear after watching it.

Boo

That’s our uncle Dave in the video, he used a needle from the tamper evident table at BSides this year to shimmy the mechanism. Mum says we have to be older before we use needles – I guess she forgot we use them all the time to remove labels – or maybe she means we have to be older to stab people with needles.

Mos

The last thing we are going to talk about today is shims. The shims we are talking about are small pieces of metal used to help by-pass tamper evident seals. You have already seen one example in the video of uncle Dave. In that case, he used the metal tip of a needle to shim the pad lock seal.

Boo

But you can also make shims. The two most common shims we make are out of soft drink cans and little security tags found on stuff you buy at the shops. With the security tag you need to cut it open and little metal pieces come out which are perfect.

With the soft drink can you need to carefully and with the help of an adult cut a piece of metal from the can to the size you want.

You then shape the shim as you need. They are very helpful.

When looking at the tamper evident seal, ask how it works. If it relies on catching, then a shim will probably work.

Mos

You can also custom make shims, like I did with dad last week using dad’s feeler gauges, which you use to check the gap in spark plugs.

Here I am using the Dremel.

In this case we were able to make a shim to by-pass a pad lock seal – it was really cool. But I am not strong enough yet to work it, unlike mr strong pants dad. So, for now I will stick to melting the metal.

Boo

We are going to finish now with a video for you on a lock box challenge dad set for us. So, you can see a few of the techniques we talked about today in practice.

Watch Lock Box Challenge Video

Mos

That’s, it, thank you for listening to us today. If you have any questions, please feel free to ask us, otherwise you can catch us at the tamper evident table.

Boo

You can also visit out blog where we have started to put all of this stuff up and we plan to continue to add to it as the weeks, months and years go by!

Mos

I know we promised to show you how to remove zip tie handcuffs, so if you want to learn how to do this, come see us and we’ll show you

Boo

I will happily handcuff you for the demonstration

Mos and Boo

Thankyou everybody!