Bypassing the Glitter Nail Polish Tamper Evident Seal
TL:DR;
Yes, you can bypass the “Glitter Nail Polish” seal. It’s was 2018 when it was demonstrated as possible — under the right circumstances. Is still worth doing? Yes, I still do. But it depends on your personal threat model.Nothing is infallible or perfect.
This is just another reminder that defence in depth is important.
Before we jump straight into how the glitter nail polish bypass worked, let’s talk about Tamper Evident Seals and how to bypass them; in ways that would pass human inspection.
The key objective here is to pass human inspection.
Machine inspection has different attack vectors, however, tamper evident seals are usually inspected by the receiver/persons concerned. Thus, the opportunity for human inspection attacks. For this purpose, we’ll need to split this observation up into “casual observation”, and “close inspection”. There’s forensics level analysis, but… for most situations in practice, this isn’t quite available.
Think back to the last time you bought a fancy new electronics device;
how closely did you inspect the tamper evident seals (eg. warranty stickers)?
Would you have noticed if they were missing?
For the purposes of this,
- “casual observation” refers to quickly observing at arms length if there’s anything immediately suspicious — like an envelope with the top cut off.
- “close inspection” refers to closely visually inspecting, and observing if the tamper evident seal has been breached — the envelope has no immediately observable signs that it’s been cut, torn, or re-glued. The expected type of inspection when you’re suspicious that your item has been tampered with, after returning to your hotel room.
Alright. Let’s jump into the basic of Tamper Evident Seals bypassing.
There are 3 common attacks you can use against a seal:
- Physical — cutting, applying force, shims etc
- Chemical — chemical solvents, glue, etc
- Temperature — heating/cooling the seal/item the seal is protecting etc.
With the above, apply some creative problem solving — or as we’d like to say “Hacker’s Mentality”, to bypass the seal without the observer noticing what you’ve done.
Psst. here’s a secret tip,
if you can’t bypass the seal directly, think like a magician and apply some misdirection and/or attack the problem from a completely unexpected way.
Physical attacks
These are typically the use of physical force to manipulate or attack
- the glue/binder,
- container,
- the holder/grip that holds the seal in-place,
- and/or the use of glue/binder (eg. tack welding)
to then put it back together
For example, the use of a knife to pry things open, or cut the seal away from the container, to be then joined back with super glue.
Let us look at a concrete example — LightLock seals.
Take the anti-theft stickers you see on many things, and cut open the back to reveal some thin metal strips.
Use these as shims. Slide them in where the blue arrow points, wrapping around the cord pulling it in until it protrudes out the other side giving you some to grip. Then, slide the cord out in the orange arrow’s direction to release the seal without any damage as the teeth that holds the seal in-place, has been blocked by the shim.
When you’re ready to put the seal back, simply just seal it back as normal.
For the EnaStrip 2 Metal,
cut the metal strip as close to the body as possible — shown by the red line in the diagram below.
Once you’re ready to seal it back, simply place a liberal amount of super glue where the red arrow is pointing, and insert the strip back in, on top of the old strip that you previously cut. It should slide right in. Hold tight until the glue takes hold.
The tampering shouldn’t be too visible for casual inspection.
Chemical attacks
These mostly involves the use of solvents to attack the glue or binding agent, or the material itself.
Using these, you could for example, undo glued wristbands without damaging the paper it is binding together. Simply apply some Methylated Spirits to the sticky area, and it softens the glue up enough to just peel off without damaging the tamper evident seal.
Most attacks in this class involves attempting to dissolve/soften the glue, and are pretty similar. It also works with most security stickers — like the warranty void stickers.
Temperature attacks
Taking advantage of how materials behave, we use either heat or cold, to manipulate the seal, or the container to our advantage.
An example is to use heat to soften plastic teeth that’s holding the seal together. Like in this bypass shown here by Mos & Boo.
Heat causes materials to expand. Different materials expand and contract at different rates. You can use this to your advantage when trying to cleanly break a seal that binds 2 different materials — like nail polish on a metal laptop.
The above is just a tiny example for the bypass techniques shown.
For details on other seals, read Mos & Boo’s posts on the topic (https://mosandboo.com/category/tamper-evident/). They do an amazing job explaining the techniques for the various tamper evident seals.
The Glitter Nail Polish
The final boss.
Armed with the knowledge above, we put it all together to bypass the glitter nail polish — we will need them all.
Here’s the secret to bypassing the seal. Patience and perseverance — spend stupidly long amounts of time on it, more than sensible or reasonable.
Let’s jump right into it.
First start by carefully observing the nail polish.
The challenge here is that it is believed that
(a) the nail polish strongly binds to the screw, and the surface of the laptop.
(b) the only way to remove the glitter nail polish is to remove all the nail polish and replace it with a new coat.
The glitter’s arrangement makes it practically impossible to replicate; thus observable that it has been tampered with.
What if this assumption is flawed?
The goal here is that the observer does not notice that their laptop has been tampered with. That means, by casual visual inspection, they should not notice any damage to the seals. As an additional precaution for “close inspection” the glitter patterns should match the photographs taken.
So, we challenge the assumptions.
The nail polish applied would have some height to it. The top half, shown in red on the diagram, is more visible. Thus, more important.
The bottom half, shown in green, is less visible, thus some damage can be done to this layer without it being too visible upon inspection.
Our attack will be on the bottom layer preserving the top, so that it is visually untouched.
With that, let us start the process.
Start by taking pictures of the seal. These will be your references, and crucial for ensuring that you are able to put the seal back together in a visually similar manner.
Get close. The clearer your pictures, the easier it will be to work with it later. But also keep track which picture belongs to which screw.
Next, start by picking a single screw to work on.
Then as targeted as possible, heat up the surface of the laptop, near the nail polish. The different rates of material expansion should help slightly peel off the edge of the nail polish blob.
If you can find some leverage around the nail polish, you might not need this step. Remember, take it slow and careful as you do not want to damage the nail polish coat.
Using the sharpest knife or blade that you have, attempt to slowly lift a thin portion of the film up. While doing that…
Add tiny bits of acetone using a insulin syringe, to the edge of where your blade meets the nail polish to help dissolve a thin layer of the nail polish.
Warning!
Do NOT add too much as it may take away more nail polish than you want.
Repeat steps 2–4 a tiny, gently, a tiny bit at a time until you get the whole top up. Patience and being delicate is important. Do not rush it.
Don’t worry about the nail polish in the screw itself. Go ahead and use acetone to clear off enough so that you can get your screwdriver in there to remove the screw.
Now, repeat this for all the remaining screws. This process may take a while.
Once you’re done doing what you need to do, we need to reassemble the seals.
To begin our reassembly process, begin by placing a very thin layer of clear nail polish on the screw itself, remember to fill the gaps so that it’s a flat surface.
Be careful not use too much or to cover more space with the nail polish than the original did. You might find the use of a toothpick or syringe helpful to control the amount of clear nail polish that you use.
Using the photo reference you have taken, carefully align and place the original glitter nail polish film back onto the screw. A steady hand is important here. Take the time to carefully align it back to as it was. Be careful that no access clear nail polish overflows the original boundary.
One tip, as long as you match your reference photo, and the film doesn’t detach from casual handling, you’d likely be in the clear.
Let the nail polish dry, and you’re done.
Congratulations, you’ve acquired a new ninjitsu.
I accomplished this at the OzSecCon 2018 Tamper Evident Challenge — one of the leading physical security conferences in the world. When this was done at the CTF in 2018, there was a computer vision software matching against a reference image which we had to bypass too.
Now, you too can do it.
Closing Thoughts
If you’re relying on the Glitter Nail polish to defend against tampering, know that it is not infallible. Likewise, also proof to demonstrate that it should NOT serve as conclusive evidence that a device protected by this seal has not been tampered with. As an indicator, sure, but not conclusively.
Is it still a worthwhile seal to use?
Yes. As you can see, it take some amount of skill and effort to accomplish.
Initially introduced as the best known way to protect against tampering in 2013 with no known bypass, it was broken in 2018. I didn’t think too much of it as you now can see, it’s quite a trivial bypass, and surely someone else would have discovered it by now. But, as I recently discovered from others, was still a mystery. Thus, the motivation to put it out there so that we can move the state of the art forward, and not have a false sense of security.
Likewise in software, and other physical security, I think this serves as a good reminder that just because no technique is well-known publicly, none exists. Nothing is “hack proof”.
Hack the planet 🌏
✌️ — hoodiePony
PS.
My apologies to a few people that I’ve promised this write-up to; sorry, life happened. This time, the right life circumstances ( and prompt ) meant that I could immediately jump onto this and not get forgotten again.
PPS.
This is the companion post to a talk that I gave at DEFCON 30 DCG VR.
At the time of writing, you can still catch the video archive on Twitch at
https://www.twitch.tv/videos/1560896000?t=05h55m50s
[ update 2022–09–30 ] DefCon Groups have published a VOD of the presentation: https://www.youtube.com/watch?v=6Gq23mF47oQ
Additional Resources & References