How To Stop Worrying And Win An Infosec Contest
Despite two dozen or more security conventions attended, between the two of us, this year at SAINTCON 2016, my friend Dan Daggett (“Viking”) and I (collectively, “Team Chainsaw”) did something that neither of us has done before: entered, seriously competed, and won a contest. Like many others in the technology community, I am intimidated by opening up to others and to failure, but it is quite clear to me after the events of this week that competing and winning in these contests can be done by anyone who is sufficiently motivated, and able to set aside their fear of the unknown. Moreover, at least for me, the competition is more personally rewarding than the victory. Though I’m not complaining about the victory.
Herein lies the story of the technical challenges we surmounted, and the fun we had.
SAINTCON is a regional information security conference held somewhere in Utah during October — this year was at the Utah Valley Convention Center in Provo. This year, one new element was a Tamper Evident contest. These contests have existed at DEF CON for many years now, but this was the first year that such a contest existed as a standalone event at SAINTCON. Tamper evident contests typically involve defeating several layers of tamper-resistant seals and devices with the minimum possible (ideally no) disruption of the seals and contents. The goal of such a contest, for security professionals, is to improve our understanding of the scope and relevance of these devices that we often take for granted, to help us achieve the overarching goal of improving the security and safety of those around us.
We picked up our Tamper Evident package on Tuesday afternoon. Viking began research almost immediately, as I went off to frustrate myself with the Hacker’s Challenge.
Layer 1: Exterior Box & Padlock Seal
We were presented with a standard black plastic ammo can, familiar to anyone who shops regularly at sporting good stores. The box was sealed with a padlock seal, like the ones used on utility meters. The serial number of the padlock seal had been written on a label on the outside of the box. Given the fact that we were printerless, and the fact that printers are diabolically evil in any case, we ruled out changing the sticker early on.
Some teams approached the external box by using a heat gun to bend the hinge tabs, so that the top of the box could be removed without removing the padlock seal. We were worried about deforming the box, so we attacked the padlock seal itself. Viking invested hours into reading writeups and watching videos for previous DEF CON tamper evident challenges, which led us to approach this seal in two parts: obtaining a replacement wire loop, and removing the existing loop from the seal.
Most successful attacks on padlock seals involve removing the seal and replacing the wire loop with an identical loop. All attendees were given spare padlock seals, but they were sealed to our badges, not simply given to us unused. We removed a seal from my badge by cutting away the plastic, to give us a spare wire loop. This was the easy part.
Second, we needed a way to remove the wires from the broken seal. Removing a padlock seal from a device is a simple matter: cut the wire loop and pull it off. Since these are security seals, though, even after the wire is cut it cannot be easily removed from the plastic body. Previous DEF CON teams have documented 2 popular methods of removing the wires: electrolysis, to dissolve the remaining wire segments, or shimming the wires with thin, hollow metal (typically, piercing needles). After a visit with a confused local tattoo artist, Viking obtained 2 16-gauge piercing needles and we attempted to shim the seal — which failed. We were able to bend piercing needles into interesting shapes, but ultimately our inexperience with physical security in particular made this particularly challenging for us.
We discussed electrolysis, but out of a bit of desperation and desire to not burn down our hotel, this led Viking to simply put his spare plastic seal in a vice and just rip the wires out through brute force — which I thought would fail, but which actually worked beautifully. Once the wires were out, we simply replaced the old wire loop with the one salvaged from the badge and the layer 1 seal appeared unopened.
Layer 2: Interior Box & Tamper Tape
Inside the plastic ammo can was a small cardboard box sealed with blue tamper-resistant packaging tape. This tape is designed to separate if it is peeled off. It was pretty awful at that task, though, since we were quite easily able to heat it with our hotel room’s hair dryer and peel it right off the box. It removed so easily and completely that looking up links for this article was the first time I’ve seen what it looks like when removed.
Replacing the tape later would prove to be somewhat more difficult. The heat removal method left almost all the glue behind on the box. I tried some solvent methods to remove the tape from the box, but after slightly discoloring the box itself, we decided to skip adhesive removal and use spray adhesive on only the tape to re-adhere the tape to the box. This wrinkled the tape slightly in one area, but it looked like the tape just been wrinkled during application, so we went with it.
Layer 3: Deposit Bag
Last year’s SAINTCON Vault challenge, from which this contest grew, involved a tamper-resistant deposit bag with a USB flash drive inside it. In one of the best stories I’ve heard at a security con before, the winning team was able to read the USB drive without even opening the bag. Since the Tamper Evident contest was being organized by one of the winners of last year’s Vault, it was no surprise to encounter this bag in the contest— or, for that matter, to find out that it contained a CD, so that we’d definitely have to remove the disc from the bag to read it.
The Internet told us that bags like this could easily be opened with cold, but after reading the manufacturer’s page about this particular bag, discovered this particular seal is designed to fail obviously if exposed to cold. We eventually decided to slit the bag down one of the sides, along the side seals, and repair it later. After some discussion, and thinking we had no viable heat sealer, decided to reseal the bag with a very thin application of spray adhesive. We sprayed the adhesive into a cup and applied with a very fine paintbrush — not the only time during the week when having nitrile gloves would pay off. The glue created a good, but visible, seal.
This was the layer for which underthinking the problem caused difficulty. First, we discovered later that there was a heat sealer secreted away in the Hardware Hacking Village. Second, there were two sources of heat in our hotel room: a soldering iron and a clothes iron.
Layer 4: CD envelope
The CD itself was stored in the old familiar white paper CD envelope, with a SAINTCON sticker sealing the flap. This sticker was one given attendees at the beginning of the conference, so the easiest approach was to slit the envelope, and reconstruct it using a new envelope. One trip to Staples solved this problem.
Layer 5: The CD itself
This presented an interesting challenge, since none of our laptops had optical drives. We were debating calling other friends in town to see who had brought a laptop with a CD drive, when the thought occurred to visit the hotel business center and read the contents of the disc. After going through three of the five stages of grief with the hotel’s lockdown software, we got the files copied.
The CD itself contained almost a hundred image files. We analyzed the images in a variety of different ways: strings, reading EXIF data, examining for polyglot files, etc and had no success at all. We suspected that the CDs were unique to each box — why wouldn’t you do that? — which we were able to confirm (very) early Friday morning. Finally, we obtained a copy of another team’s disc and hashed all the files on each one to discover we had overlooked the blatantly obvious: in small type, a code had been added to one particular image.
We stayed up late Wednesday evening shopping and discussing how to reassemble the box with our friend Bruce. He’s our hero for doing almost all the driving, giving us some good ideas for reassembling the box, and ultimately egging us on for what was to come. Lack of a heat sealer for the bag and discoloring the box had me down.
Reassembly, Desperation, and a General Lack of Sleep
If there was an unofficial theme for this year’s SAINTCON, it was privacy, driven by a couple of talks there as well as the Tinfoil Hat Talks.
Previously, during a visit to Michael’s, Viking had picked up a glitter sample pack. We had already been talking about doing something fun to our entry, in the best “if you can’t win, fail funny” hacker tradition. Frustration, my belief that we would not win the contest based on our tamper evident bag seal, general atmosphere at an amazing infosec con, and lack of sleep led to my desire to run with this idea. I suggested that before we reassemble the package, we add some tinfoil. Or a lot of tinfoil. Offering to go to the store right now and buy it helped this along.
Post aforementioned trip to the store, and some more caffeine, we reassembled the box thusly:
CD: wrapped in foil, confetti-style glitter (larger pieces, because we’re monsters, but not horrible monsters) poured into the CD’s new foil pouch, and resulting assembly inserted into the CD envelope.
CD envelope: sealed with appropriate SAINTCON sticker, reinserted into tamper evident bag.
Tamper evident bag: resealed with a thin application of glue, then wrapped in tinfoil.
Cardboard box: Foiled tamper evident bag was placed into box. Spray adhesive used on the tamper evident tape, then carefully resealed. Box then carefully gift-wrapped in tinfoil by Bruce.
Exterior box: decided it should look normal until opened. Spray adhesive plus foil used to cover the whole inside of box. Foiled cardboard box then inserted into exterior box, closed, padlock seal applied.
When closed, the box looked original. The condition of the original seals after our modifications ranged from very good (the padlock seal) to average (the tamper evident bag). Ultimately, though, it was foil all the way down to glitter.
Wherein The Unexpected Happens
Viking asked if we could observe the judging process. We really wanted video. We were denied, obviously. We had hoped to win the worst team/best troll award.
Instead, we won the whole contest.
We remain unsure, as of this writing, how the effect of our additional improvements to the privacy and security of the package affected our score. We know there was some internal discussion about it, the scope of which was only partially revealed to us, but that the ultimate decision was that our improvements to the security of the package were in keeping with the best traditions of the hacker mentality, and were therefore at least not disqualification-worthy.
Though we did get some dirty looks when we mentioned glitter.
And so, dear reader, your heroes returned home with a variable output power supply, a box full of really nice Raspberry Pi stuff, and a lot of excess tinfoil.
Aside from the many things we learned about materials and experimentation, there were many personal lessons that came from this experience.
Don’t overthink the problem.
Carry a good pair of electrician’s scissors in your gear bag right next to your Leatherman and multi-bit screwdriver. I don’t know how I managed to get through close to four decades of existence before I knew about these wonderful things, but trust me, they’re amazing.
Being a hacker doesn’t mean you won’t get stuck, but hopefully you won’t stay stuck. If you’re only using that iron for pants, you’re missing a perfectly good attack vector.
Open yourself to new ideas and new people. They are often amazing.
Experience new things, so that you can separate discomfort from disinterest. Move toward discomfort.
When your friend says “We should enter that contest,” tell your brain to shut the ■ ■ ■ ■ up and say “Yeah, that sounds fun.” You might do something amazing.