Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-23 23:01:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

md formatting

Browse source
This commit is contained in:
anarsec 2023-07-08 18:09:30 +00:00
parent 0dc607247e
commit b6bbc36b6f
No known key found for this signature in database
8 changed files with 141 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

10
content/posts/tamper/index.md
View file

@ -24,12 +24,12 @@ Let's start with your laptop. For a seal to be effective at alerting you to intr
Mullvad VPN [made a guide](https://mullvad.net/en/help/how-tamper-protect-laptop/) for applying this technique: first apply stickers over the laptop chassis screws, then the nail polish. An [independent test](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-aufklebern) noted:
> Attackers without a lot of practice can use a needle or scalpel, for example, to drive under the sticker and push it partially upward to get to the screws relatively easily. The broken areas in the paint could be repaired with clear nail polish, although we did not need to do this in most of our tests. The picture below is a pre-post-comparison of one of our first attempts. Except for 3-4 glitter elements at the top left edge of the sticker, all others are still in the same place. This could be further reduced in subsequent attempts, so we rate this method as only partially suitable. [...] The relevant factor in this process is the amount of elements on the edge of the sticker. In addition, there are special seal stickers available which break when peeled off. They are probably more suitable for this method.
![mullvad](mullvad.png)
![](mullvad.png)
For this reason, it is preferable to apply nail polish directly to the screws instead of on top of a sticker. This direct application is done for [NitroKey](https://docs.nitrokey.com/nitropad/qubes/sealed-hardware) and [Purism](https://puri.sm/posts/anti-interdiction-update-six-month-retrospective/) laptops. Keep these nuances in mind:
> The screws holes are particularly relevant here. If they are too deep, it is difficult to take a suitable photo of the seal under normal conditions. If the hole is shallow or if it is completely filled with nail polish, there is a risk that if a lot of polish is used, the top layer can be cut off and reapplied after manipulation with clear polish. If the nail polish contains too few elements, they could be manually arranged back to the original location after manipulation if necessary.
![X230](X230.jpg)
![](X230.jpg)
Glitter nail polish was successfully bypassed during a Tamper Evident Challenge in 2018 - the winner [explained](https://hoodiepony.medium.com/bypassing-the-glitter-nail-polish-tamper-evident-seal-25d6973d617d) how they managed to succeed. It is worth noting that a nail polish brand was used with relatively large glitter pieces of only two colors. It would be difficult to apply this bypass to inset screw holes; if the glitter was painted on with a high density of elements, but not too thickly, that would also increase the difficulty. Finally, [using an adhesive](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-klebstoff) would also make the bypass less feasible.
@ -38,6 +38,7 @@ Verification that the random pattern hasn't changed can be done manually with wh
The Blink Comparison app encrypts its storage, to prevent an adversary from easily replacing the photos, and gives a helpful interface for comparing them. The app helps you to take the comparison photo from the same angle and distance as the original photo. Blink Comparison then switches between the two images when the screen is touched, making direct comparison much easier.
Now that you understand the nuances of using nail polish on the chassis screws of your laptop(s), we'll actually do it - this is best done after [flashing HEADS](#tamper-evident-software-and-firmware) so that it doesn't have to be removed and repeated. Before getting started, you can also take a photo of the inside of the laptop, in case one day you need to check if its internal components have been tampered with despite the nail polish protection (keeping in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like that shown above.
* First, take a photo of the underside of the computer and use a software like GIMP to number the screws, in order to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws which need to be numbered so that in the future you know which screw the photo `3.jpg` refers to.
* Apply the glitter nail polish directly to each screw, with sufficient density of glitter but not too thickly.
* Once it has dried, be sure to take good close-up photos of each individual screw - either with the Blink Comparison app on a smartphone, or with a normal camera. It is a good idea to use lighting that is reproducible, so close the blinds on any windows and rely on the indoor lighting and camera flash. Number the file names of the photos, and back them up to a second storage location.
@ -48,7 +49,7 @@ If you ever need to remove the nail polish to access the internal of the laptop,
Now that you understand the concept, you need a tamper-evident storage solution for all sensitive electronics when you are out of the house (laptops, external drives, USBs, phones, external keyboards, and mice). Safes are often used to protect valuable items, but they can be bypassed in several ways, and some of these bypasses are difficult to detect (see the [Appendix](#appendix-cracking-safes)). It is not trivial or inexpensive to make a safe tamper-evident, if it can be done at all.
![tamper](linsen.jpg)
![](linsen.jpg)
A better and cheaper solution is to implement the guide of [dys2p](https://dys2p.com/en/2021-12-tamper-evident-protection.html#kurzzeitige-lagerung):
> When we need to leave a place and leave items or equipment behind, we can store them in a box that is transparent from all sides. Then we fill the box with our colorful mixture so that our devices are covered. The box should be stored in such a way that shocks or other factors do not change the mosaic. For example, the box can be positioned on a towel or piece of clothing on an object in such a way that this attenuates minor vibrations of the environment, but the box cannot slide off it.
@ -96,6 +97,7 @@ For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that will enable
# Wrapping Up
With the measures described above, any 'evil maid' would need to bypass:
1) Haven detecting them, and
2) The tamper-evident storage, and
3) The tamper-evident glitter nail polish (for an attack that requires opening the laptop), or HEADS/Auditor (for a software or firmware attack)
@ -107,6 +109,7 @@ That means that whenever you leave the house, you power off sensitive devices an
Laptop screws can be verified on a monthly basis, or if anything suspect happens. Neither HEADS nor Auditor require much effort after set-up to be used properly; Auditor will run without interaction, and HEADS becomes part of your booting process.
# Further Reading
* [Random Mosaic Detecting unauthorized physical access with beans, lentils and colored rice](https://dys2p.com/en/2021-12-tamper-evident-protection.html)
# Appendix: Cracking Safes
@ -118,3 +121,4 @@ Laptop screws can be verified on a monthly basis, or if anything suspect happens
* [Brute force](/glossary#brute-force-attack) attacks - trying all possible combinations - are possible if the adversary has time. Dial mechanisms can be brute-forced with a [computerized autodialer](https://learn.sparkfun.com/tutorials/building-a-safe-cracking-robot) which [doesn't need supervision](https://www.youtube.com/watch?v=vkk-2QEUvuk). Electronic keypads are less susceptible to brute-forcing if they have a well-designed incremental lockout feature; for example, if you get it wrong 10 times, you're locked out for a few minutes, 5 more incorrect codes and you're locked out for an hour, etc.
* Several tools exist that can automatically retrieve or reset the combination of an electronic lock; notably, the Little Black Box and Phoenix. Tools like these are often connected to wires in the lock that can be accessed without causing damage to the lock or container. This should be possible to make tamper-evident, as it requires getting access to the wires.
* Several [keypad-based attacks](https://en.wikipedia.org/wiki/Safe-cracking#Keypad-based_attacks) exist, but some can be mitigated with proper OPSEC.