Glitter nail-polish is the best tamper-evident seal


At a talk at the 30C3 in Hamburg, Ryan Lackey proposed an ingenious solution to detecting tampering with your computer, phone or tablet: paint the seams and screw-tops with glitter nail-polish and snap a photo of the random pattern formed by the glitter after it dries.

Security-conscious travelers have long used tamper-evident seals over their devices' screws and seams, but as Lackey points out, those seals are easy for spies, customs officials and other snoops to reproduce, especially if they can work in private (as happens when your laptop is taken away for a border inspection). But reproducing the random pattern of glitter polish is substantially more expensive that replicating a security seal -- it also takes longer, and there are no set procedures for doing so.

Lackey also recommends using stickers as an alternative seal; it's unlikely that a spy agency or a customs official has access to your favorite vintage Wacky Package sticker.

The idea is to create a seal that is impossible to copy. Glitter nail polish, once applied, has what effectively is a random pattern. Once painted over screws or onto stickers placed over ports, it is difficult to replicate once broken. However, reapplication of a similar-looking blob (or paint stripe, or crappy sticker) might be enough to fool the human eye. To be sure, the experts recommend taking a picture of the laptop with the seals applied before leaving it alone, taking another photo upon returning and using a software program to shift rapidly between the two images to compare them. Even very small differences – a screw that is in a very slightly different position, or glitter nail polish that has a very slightly different pattern of sparkle – will be evident. Astronomers use this technique to detect small changes in the night sky.

By taking the picture with a cellphone that is kept with you at all times, you can be reasonably sure the original picture hasn’t been tampered with or replaced. In order to guard against typical user forgetfulness, the experts recommend using a two-stage remote verification system. Such a tool would require that two pictures match exactly, for example, before allowing the user to log in to a potentially vulnerable system such as a VPN.

“This makes it non-skippable by users,” said Michaud, CEO of Rift Recon. “If the user doesn’t do the check, it doesn’t work.”

Don’t Want Your Laptop Tampered With? Just Add Glitter Nail Polish [John Borland/Wired]

(Image: Feather effect nail polish, a Creative Commons Attribution (2.0) image from berenicedecados's photostream)

Notable Replies

  1. Next on the market: Tamper-evident Glyptal (since one of the many uses of that insulating varnish is to secure screws/trimpots/etc. against vibration).

    Seriously, this is a clever off-label use.

  2. Wouldn't a tampering party simply peel back a sticker and replace it (maybe with a shot of glue to help it stick like new)? Peeling off stickers without damaging them is an art (hint: don't use just your fingernail), but it's hardly impossible.

    The glitter nailpolish seems like a cooler idea, although it's going to hurt repairability when all of your screwheads are filled in with acrylic. It also doesn't help against USB stack injection attacks, but you would have to be Osama Bin Laden's resurrected zombie to warrant that level of attack.

    Honestly, just filling in all of the screwheads on your box with epoxy is already pretty good tamper resistance.

  3. As a 16 year old at Arlec in the 1980s I used nail polish for this purpose while assembling light dimmers. It seemed to have been part of their production process for decades.

  4. Not really. The nice thing about acrylic, as us ex-electronic-tech types remember, is that it doesn't adhere unreasonably to metal and is fairly brittle; you can chip it free fairly easily when you need to. (At least that's true on normal-sized screws with traditional heads; dunno about the tiny stuff.)

    If it bothers you, slap a tamper-evident label over the opening and then paint the randomizer across that...?

  5. I remember reading decades ago that this method was used to ID warheads. They used to then photograph the glittery resin from multiple light directions because even if you could imitate the placement of every flake of glitter you'd never match their orientations.

Continue the discussion bbs.boingboing.net

10 more replies

Participants