At a talk at the 30C3 in Hamburg, Ryan Lackey proposed an ingenious solution to detecting tampering with your computer, phone or tablet: paint the seams and screw-tops with glitter nail-polish and snap a photo of the random pattern formed by the glitter after it dries.
Security-conscious travelers have long used tamper-evident seals over their devices' screws and seams, but as Lackey points out, those seals are easy for spies, customs officials and other snoops to reproduce, especially if they can work in private (as happens when your laptop is taken away for a border inspection). But reproducing the random pattern of glitter polish is substantially more expensive that replicating a security seal -- it also takes longer, and there are no set procedures for doing so.
Lackey also recommends using stickers as an alternative seal; it's unlikely that a spy agency or a customs official has access to your favorite vintage Wacky Package sticker.
The idea is to create a seal that is impossible to copy. Glitter nail polish, once applied, has what effectively is a random pattern. Once painted over screws or onto stickers placed over ports, it is difficult to replicate once broken. However, reapplication of a similar-looking blob (or paint stripe, or crappy sticker) might be enough to fool the human eye. To be sure, the experts recommend taking a picture of the laptop with the seals applied before leaving it alone, taking another photo upon returning and using a software program to shift rapidly between the two images to compare them. Even very small differences – a screw that is in a very slightly different position, or glitter nail polish that has a very slightly different pattern of sparkle – will be evident. Astronomers use this technique to detect small changes in the night sky.
By taking the picture with a cellphone that is kept with you at all times, you can be reasonably sure the original picture hasn’t been tampered with or replaced. In order to guard against typical user forgetfulness, the experts recommend using a two-stage remote verification system. Such a tool would require that two pictures match exactly, for example, before allowing the user to log in to a potentially vulnerable system such as a VPN.
“This makes it non-skippable by users,” said Michaud, CEO of Rift Recon. “If the user doesn’t do the check, it doesn’t work.”
Don’t Want Your Laptop Tampered With? Just Add Glitter Nail Polish [John Borland/Wired]