Tamper Evident Fixed Length Seal Bypass
In this post, I’m going to show you how to bypass the B-Sealed EnaTail 2 fixed length seal. This tamper evident seal bypass is one Boo and me came up with as part of the OzSecCon 2018 Tamper Evident Bypass Competition. There are a few ways to bypass this seal but I will show you the quickest and easiest way, and one that leaves no marks or evidence you were ever there. It uses a design flaw in the seal to make it easy to bypass.
We have a video at the end of this post so if you want to watch that instead, we explain everything below and then perform the tamper evident seal bypass so you can see it in action.
The EnaTail 2 is what’s called a fixed length seal. On one end it has a plug and the other end has the locking mechanism. Once connected its always the same length.
The locking mechanism of the fixed lenth seal – plug (below) gets inserted into here
The plug end of the tamper evident seal – gets inserted into the locking mechanism above
This is different from other tamper evident seals like a pull tight seal. The pull tight tamper evident seal is like a zip tie and can be pulled tight to different lengths depending on what it is wrapped around or linked through.
Wire pull tight seal – it has a varying length depending on how tight you pull the cable
One thing you will notice near the plug end of the seal is there is a small piece cut out of the band. This isn’t actually part of the tamper evident design, well their website says it isn’t.
A tamper evident seal is used so you can tell if someone has tried to access what you are protecting. Of course, at some point, you need to get into whatever it is protecting and need to remove the seal. This cut out is so the seal can be easily broken off, just using your hand, so you can remove the seal. Some of the other seals, like the wire cable seal above, will need a tool or cutters to remove, so this cutout makes it a lot easier.
Because of this cutout, it actually makes it harder to bypass the seal as you can’t pull on it at all. Pulling on this type of seal will snap it really quick!
How the Tamper Evident Seal Works
The locking mechanism has 4 small teeth inside. The plug goes in sliding past these teeth and then they latch on so you cant pull it back out.
In this photo you can see the 4 small teeth inside the locking mechanism
Attacking these teeth was the first way we tried bypassing this seal. We cut out four small shims, then slid them into the locking mechanism. This pushed the teeth to the side and we could slowly pull the plug out past the teeth. It worked, but it left marks on the plastic because of the shims and also we had to pull on the seal which almost broke it. We actually broke the first one we tested on. This wasn’t the best way to bypass this type of seal and won’t pass if someone inspects it closely for tampering.
4 shims inserted into the locking mechanism, one for each tooth – our first attack against this seal
If you look at the end of the seal you will see a small hole on the other side of the locking mechanism. The B-Sealed website says the hole is there to make it easy to see if the plug has been pushed in fully.
When locked into position the tail blocks a hole on the other end of the locking chamber for visual inspection of application.
– B-Sealed Website
While this is part of their design, it is actually a design flaw when looking at bypassing the seal. Without this hole, it would be much harder to bypass.
Note you can see the end of the plug in the centre of the hole – this means the seal has been connected securely
I already mentioned you cant pull on the seal or it snaps… so you just push instead. This hole lets you push the plug out without leaving a mark. It’s too tight as is, so you need a way to loosen the locking mechanism.
And what’s the best way to do that? Heat!!! Heat softens and expands plastic. We tested a few ways to do this and a heat gun set to low heat is the best option. If you turn it up too high it melts the plastic. It’s better to have it set to low and slowly heat up the seal. We also tried boiling water but it just doesn’t get it hot enough to release.
Bypassing the Tamper Evident Seal
To perform this bypass all you need is:
- Heat. As mentioned the best option is a heat gun.
- Something small that can fit through the hole. In the video we use the end of a file. This is the same file we used at OzSecCon when we first worked out this attack.
- A small vice can also be handy. You don’t need the vice but it makes it easier if the plastic gets too hot. You can use pliers as well.
This bypass is pretty easy to do but like most tamper evident bypasses, you need to take your time. The only real thing that can go wrong is if you use too much heat and melt the plastic. Also if you use a tool too big for the hole you might make the hole bigger which would then make it obvious you have tried to bypass the seal.
When using the heat gun, you hold the seal and start heating up the locking end. You are trying to soften and expand the teeth. There are 4 of them so you want to move the heat all the way around.
While the plastic is still hot, put your tool into the hole and push through. If the plastic is heated enough it should just pop out. If it doesn’t, keep heating.
Once it pops out you are done!! You can now get into whatever the seal was protecting then put the seal back on as if no one has ever been there.
And as promised, here is the video showing the bypass. If you have any questions or just want to tell us what you think of this article or video, leave us a comment below.
Until next time, enjoy you tamper evident bypassing!
Mos aka MrOldSkinny, loves to hack things together whether it be hardware, software or a combination of both! When he isn’t doing crazy hacks you will find him picking locks, tampering with tamper-proof devices, and finding weaknesses in security controls. All the cybers will be his!
Pingback: How to Bypass a Wire Cable Seal | MOS & BOO
Pingback: OzSecCon 2018 Tamper Evident Challenge | MOS & BOO