Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-29 01:18:48 -04:00
Code Issues Projects Releases Packages Wiki Activity

standarize em dashes

Browse source
This commit is contained in:
anarsec 2024-04-15 03:17:44 +00:00
parent d6f4ad9d2e
commit 5d9796b043
No known key found for this signature in database
12 changed files with 98 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

20
content/posts/tamper/index.md
View file

@ -14,7 +14,7 @@ a4="tamper-a4.pdf"
letter="tamper-letter.pdf"
+++
If the police ever have [physical access](/glossary/#physical-attacks) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it at the hardware, firmware, or software level. One way to minimize this risk is to make devices tamper-evident. As the No Trace Project Threat Library [notes](https://www.notrace.how/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) - it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to detect when they do."
If the police ever have [physical access](/glossary/#physical-attacks) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it at the hardware, firmware, or software level. One way to minimize this risk is to make devices tamper-evident. As the No Trace Project Threat Library [notes](https://www.notrace.how/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to detect when they do."
<!-- more -->
['Evil maid' attacks](https://en.wikipedia.org/wiki/Evil_maid_attack) work like this: An attacker gains temporary access to your [encrypted](/glossary/#encryption) laptop or phone. Although they cant decrypt your data, they can tamper with your laptop for a few minutes and then leave it exactly where they found it. When you return and enter your credentials, you have been hacked. The attacker may have [modified data on your hard drive](https://media.ccc.de/v/gpn20-32-poc-implementing-evil-maid-attack-on-encrypted-boot), replaced the firmware, or installed a hardware component such as a keylogger.
@ -45,7 +45,7 @@ For this reason, it is preferable to apply nail polish directly to the screws ra
<img src="/posts/tamper/X230.jpg" class="no-dark">
</p>
Glitter nail polish was successfully bypassed during a Tamper Evident Challenge in 2018 - the winner [explained](https://hoodiepony.medium.com/bypassing-the-glitter-nail-polish-tamper-evident-seal-25d6973d617d) how they managed to do it. Notably, a brand of nail polish with relatively large pieces of glitter in only two colors was used. It would be difficult to apply this bypass to inset screw holes; if the glitter was applied with a high density of elements, but not too thick, this would also increase the difficulty. Finally, [using an adhesive](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-klebstoff) would also make the bypass less feasible.
Glitter nail polish was successfully bypassed during a Tamper Evident Challenge in 2018 the winner [explained](https://hoodiepony.medium.com/bypassing-the-glitter-nail-polish-tamper-evident-seal-25d6973d617d) how they managed to do it. Notably, a brand of nail polish with relatively large pieces of glitter in only two colors was used. It would be difficult to apply this bypass to inset screw holes; if the glitter was applied with a high density of elements, but not too thick, this would also increase the difficulty. Finally, [using an adhesive](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-klebstoff) would also make the bypass less feasible.
Verification that the random pattern hasn't changed can be done manually with what astronomers call a "blink comparison". This is used in astronomy to detect small changes in the night sky: you quickly flick between the original photo and the current one, which makes it easier to see any changes. Alternatively, if you have an Android smartphone (either [GrapheneOS](/posts/grapheneos/) or a cheap one for [intrusion detection](#physical-intrusion-detection) that has an inferior camera), you can use an app called [Blink Comparison](https://github.com/proninyaroslav/blink-comparison), which makes it less likely to miss something. It can be installed like any other [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software), i.e. not through F-Droid.
@ -53,11 +53,11 @@ The Blink Comparison app encrypts its storage to prevent an adversary from easil
## Getting Started
Now that you understand the nuances of applying nail polish to the screws of your laptop case, let's actually do it - if you are going to [install HEADS](#tamper-evident-software-and-firmware), do that first so the nail polish doesn't have to be removed and repeated. Before you start, you can also take a picture of the inside of the laptop in case you ever need to check if the internal components have been tampered with despite the nail polish protection (keep in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like the one shown above.
Now that you understand the nuances of applying nail polish to the screws of your laptop case, let's actually do it if you are going to [install HEADS](#tamper-evident-software-and-firmware), do that first so the nail polish doesn't have to be removed and repeated. Before you start, you can also take a picture of the inside of the laptop in case you ever need to check if the internal components have been tampered with despite the nail polish protection (keep in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like the one shown above.
* First, take a photo of the bottom of the computer and use a program like GIMP to number the screws to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws that need to be numbered so that in the future you know which screw the photo `3.jpg` refers to.
* Apply the glitter nail polish directly to each screw, making sure there are enough glitter elements without being too thick.
* Once it is dry, take good close-up photos of each screw - either with the Blink Comparison app on a smartphone or with a regular camera. It is a good idea to use lighting that is reproducible, so close the blinds on any windows and rely on the indoor lighting and the camera flash. Number the file names of the photos and back them up to a second storage location.
* Once it is dry, take good close-up photos of each screw either with the Blink Comparison app on a smartphone or with a regular camera. It is a good idea to use lighting that is reproducible, so close the blinds on any windows and rely on the indoor lighting and the camera flash. Number the file names of the photos and back them up to a second storage location.
If you ever need to remove the nail polish to access the inside of the laptop, you can use a syringe to apply the nail polish remover to avoid applying too much and damaging the internal electronics.
@ -121,7 +121,7 @@ This excerpt assumes that we take the cell phone with us, but [as discussed else
Haven is an Android app developed by the Freedom of Press Foundation that uses the smartphones many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. Unfortunately Haven is currently unmaintained and unreliable on many devices. Until [a good alternative is developed](https://github.com/guardianproject/haven/issues/465), make sure to test the functionality of Haven on your device before relying on it. We don't recommend using home surveillance cameras without privacy features, because then the police can have easy knowledge of your comings and goings without needing to set up their own surveillance cameras.
Haven should be used on a dedicated cheap Android device that is otherwise empty - an older [Pixel](https://www.privacyguides.org/android/#google-pixel) is a good choice because it is cheap but has good cameras. Make sure [full disk encryption](/glossary/#full-disk-encryption-fde) is enabled. If you have a smartphone in addition to the dedicated Haven phone, it should be turned off in the tamper-evident storage - if Haven was running on it instead and was discovered by the intruder, they would now have physical access to it while it was turned on.
Haven should be used on a dedicated cheap Android device that is otherwise empty an older [Pixel](https://www.privacyguides.org/android/#google-pixel) is a good choice because it is cheap but has good cameras. Make sure [full disk encryption](/glossary/#full-disk-encryption-fde) is enabled. If you have a smartphone in addition to the dedicated Haven phone, it should be turned off in the tamper-evident storage if Haven was running on it instead and was discovered by the intruder, they would now have physical access to it while it was turned on.
* Place the Haven smartphone in a location that has a line of sight to where an intruder would have to pass, such as a hallway that must be used to move between rooms or to access where the tamper-evident storage is located. It should be plugged in so the battery doesn't die; fairly long microUSB cables are available for this purpose.
* Set a countdown to turn Haven on before you leave the house. The Haven app will log everything locally on the Android device. Sending remote notifications is currently [broken](https://github.com/guardianproject/haven/issues/454).
@ -129,9 +129,9 @@ Haven should be used on a dedicated cheap Android device that is otherwise empty
# Tamper-Evident Software and Firmware
So far, we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. This is required for "defense in depth" - to trust an electronic device, you must trust the hardware, firmware, and software. Software or firmware compromise can occur [remotely](/glossary/#remote-attacks) (over the Internet) as well as with physical access, so it is especially important because the other measures won't detect a remote firmware compromise. Tamper-evident software and firmware are compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
So far, we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. This is required for "defense in depth" to trust an electronic device, you must trust the hardware, firmware, and software. Software or firmware compromise can occur [remotely](/glossary/#remote-attacks) (over the Internet) as well as with physical access, so it is especially important because the other measures won't detect a remote firmware compromise. Tamper-evident software and firmware are compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that allows you to be notified if firmware or software has been tampered with - you will receive an email when Auditor performs a remote attestation.
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that allows you to be notified if firmware or software has been tampered with you will receive an email when Auditor performs a remote attestation.
For Tails or Qubes OS, [HEADS](https://osresearch.net/) can do the same before you enter your boot password (on [supported devices](https://osresearch.net/Prerequisites#supported-devices)). However, installation is advanced. Keep the HEADS USB security dongle with you when you leave the house, and have a backup hidden at a trusted friend's house in case it ever falls in a puddle. For more information, see [Tails Best Practices](/posts/tails-best/#to-mitigate-against-remote-attacks).
@ -151,15 +151,15 @@ Laptop screws can be verified monthly, or when something suspicious happens. Nei
# Further Reading
* [Random Mosaic Detecting unauthorized physical access with beans, lentils and colored rice](https://dys2p.com/en/2021-12-tamper-evident-protection.html)
* [Random Mosaic Detecting unauthorized physical access with beans, lentils and colored rice](https://dys2p.com/en/2021-12-tamper-evident-protection.html)
# Appendix: Cracking Safes
* [Rare-earth magnets](https://en.wikipedia.org/wiki/Safe-cracking#Magnet_risk) can unlock safes that use a [solenoid](https://www.youtube.com/watch?v=Y6cZrieFw-k) as the locking device in an undetectable manner.
* [Safe bouncing](https://en.wikipedia.org/wiki/Safe-cracking#Safe_bouncing) is when the locking mechanism can be moved sufficiently by [banging or bouncing the safe](https://mosandboo.com/how-to-open-a-safe-without-the-key-or-code/) to open it in an undetectable manner. Safes that use a gear mechanism are less susceptible to mechanical attacks.
* Many safe models have a "management reset code" (also known as a "try-out combination") - if this code is not changed from its default setting the safe can be unlocked in an undetectable manner.
* Many safe models have a "management reset code" (also known as a "try-out combination") if this code is not changed from its default setting the safe can be unlocked in an undetectable manner.
* [Spiking](https://en.wikipedia.org/wiki/Safe-cracking#Spiking_the_lock) is when the wires leading to the reset button, solenoid, or motor can be exposed and spiked with a battery. This should be possible to make tamper-evident, as it requires access to the wires.
* [Brute force](/glossary#brute-force-attack) attacks - trying all possible combinations - are possible if the adversary has time. Dialing mechanisms can be brute-forced with a [computerized autodialer](https://learn.sparkfun.com/tutorials/building-a-safe-cracking-robot) that [doesn't need supervision](https://www.youtube.com/watch?v=vkk-2QEUvuk). Electronic keypads are less susceptible to brute force if they have a well-designed incremental lockout feature; for example, get it wrong 10 timesand you're locked out for a few minutes, 5 more wrong codes and you're locked out for an hour, etc.
* [Brute force](/glossary#brute-force-attack) attacks — trying all possible combinations — are possible if the adversary has time. Dialing mechanisms can be brute-forced with a [computerized autodialer](https://learn.sparkfun.com/tutorials/building-a-safe-cracking-robot) that [doesn't need supervision](https://www.youtube.com/watch?v=vkk-2QEUvuk). Electronic keypads are less susceptible to brute force if they have a well-designed incremental lockout feature; for example, get it wrong 10 timesand you're locked out for a few minutes, 5 more wrong codes and you're locked out for an hour, etc.
* There are several tools that can automatically retrieve or reset the combination of an electronic lock, such as the Little Black Box and Phoenix. Tools like these are often connected to wires inside the lock that can be accessed without damaging the lock or container. This should be possible to make tamper-evident, as it requires access to the wires.
* There are several [keypad-based attacks](https://en.wikipedia.org/wiki/Safe-cracking#Keypad-based_attacks), and some can be mitigated with proper operational security.