Gaping security flaw exposed on anti-tamper devices
Devices from those used to track nuclear materials to warranty seals on Xbox consoles easily circumvented
Computerworld - ARLINGTON, VA. -- Security devices used in transportation, packaging and even in accounting for nuclear materials are very vulnerable to attack, two security researchers warned on Tuesday at the Black Hat security conference.
The physical security devices, known as "tamper-evident devices,' aren't intended to prevent theft but to alert inspectors that something has been broken into.
The devices are wide-ranging in design and application, and are used to seal everything from evidence bags, large shipping containers and even things like the warranty seal on an Xbox gaming console.
Jamie Schwettmann and Eric Michaud of i11 Industries went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors, blow driers, and in more difficult cases with the help of tools such as drills.
Tamper-evident devices may be as old as civilization, and today are used in everyday products such as aspirin containers' paper seals. The more difficult devices may be bolt locks designed to secure shipping containers, or polycarbonate locks designed to shatter if cut.
But they all share something in common: They can be removed and the anti-tampering device reassembled.
Tampering can be discovered if people are looking specifically for it and test for it, but in most cases all these devices get is a "just kind of a once-over," said Schwettmann, "because we put so much trust in these things."
Michaud, who has worked on the Argonne Vulnerability Assessment Team training International Atomic Energy Agency (IAEA) inspectors, said the same type of anti-tamper devices used commercially are also used on containers that may store nuclear devices, waste, and equipment to help verify arms treaties.
Michaud believes those seals can be tampered with. "It's a massive risk," he said.
There aren't any controls on the use of the seals, said Michaud. He called one maker of seals and asked them for a sample. They sent "a non-voided legitimate stack of them," he said. If he wanted to forge the seals, he could have, he said.
Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at @DCgov or subscribe to Patrick's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts