Well, hello, everyone. I'm X-Ray. I'm your host for today.
Welcome to DEF CON 30's Altspace VR Groups Village.
So our speaker, our next speaker, is Hoodie Pony, who hails from Australia.
And his talk is going to be on Glitter Nail Polish vs. the Evil Maid.
Story, spoiler, the maid wins.
In 2018, Hoodie Pony bypassed a tamper evidence seal that was deemed impossible by the CTF organizers.
The Glitter Nail Polish unscrews and won the CTF.
Just another noob nerd of figuring out how things work by breaking things and challenging assumptions.
Sharing a story, just another member of DEF CON group 11613 in...
I'll pronounce this correctly... Northern Australia.
So welcome, Hoodie Pony.
All right, there you are.
Okay, let's see if all of the technology will work.
Thank you, thank you.
Can you hear me?
Yeah.
All right.
Sounds good.
All right.
All right.
Good day, agents.
Thank you for being here on such short notice.
I'm Hoodie Pony, here for your mission briefing today.
Actually, next slide.
It's been a long day, and this mission is time sensitive, so we'll be brief.
Next slide.
According to our intelligence reports, a person of significant interest, Dr. O, will be presenting at DOTCON 30 tomorrow.
The homecoming of the hacker, anarchist, and anti-corporal community, with journalists and intelligence organizations from across the globe in attendance.
We've been informed in the highly anticipated redacted talk, they will be releasing data that is of significant corporate interest.
We need that information before it is released.
It could be an existential threat to our organization.
We have identified that Dr. O will be staying at the Plaza Hotel, and your mission is to retrieve a copy of the data, the encryption key for that data, and place a bug inside their laptop.
So, well, we can continue to keep an eye on things.
Of importance, we understand that Dr. O has deployed temp evidence seals and techniques protecting these targets.
They also have a date man switch on their person that will release that information immediately to potentially hostile parties should our tampering be discovered.
It is very important that our actions are not discovered.
Next slide, please.
But how, you might ask. Well, that's a pretty good question.
We believe that Dr. O will be leaving for dinner with a few friends later this evening, and will be attending a few of those sponsored parties that are so famously known for.
That would be our opportunity to act.
We've prepared for you to enter as the housekeeping staff at the Plaza Hotel.
We believe that... next slide, please.
Um...
We believe that Dr. O will leave the target items in their room.
You have a few hours to act before they return.
Next slide.
You have three objectives.
All these objectives must be accomplished without any signs of tampering, or signs that these items have been disturbed.
Don't worry about it being forensically clean.
We just need to make sure that Dr. O doesn't notice it before their presentation tomorrow.
The objective is from left to right.
Objective Alpha.
Retrieve a copy of the encryption key in a sealed envelope.
There should be a folded paper with the encryption key written on it.
Simply take a photo of that key and return the target to its original state.
Next.
Objective Browse.
Retrieve a copy of the data from the encrypted USB that would be sealed inside the tamper-evident bag.
Objective Child.
Plant a signal intercept spot in Dr. O's laptop.
Dr. O's previous actions.
We know that Dr. O will take precautions by using glitter nail polish directly on their laptop to protect it against tampering.
Next slide.
We understand that the objective...
Sorry, one slide back.
Thank you.
Previous slide.
Yay.
Awesome.
We understand that Objective Charlie can be most challenging.
Some say it is mission impossible as it is widely believed that there are no known bypass.
Next slide.
Not quite.
We have had expertise since 2018 and we'll be reading you in on the TTPs with this mission briefing to ensure your success.
As always, all this is strictly classified and protected by confidentiality agreement with us during your employment contract.
Let us first start with the basics.
Keep in mind that we are only interested in bypassing the seals in a way that will not be detected by casual human visual inspection.
There are three common attacks...
attack types to bypass the tempo evidence seals.
Chemical, physical, and temperature attacks.
Next slide, please.
Next slide.
Yeah, okay, cool. Thank you.
We'll dig deeper into the common attacks as we talk about your loadout.
Upon arrival at a plaza hotel, an asset will provide you with a cleaner's cart and appropriate uniform.
But due to the constraint timelines, you'll have to improvise.
You need to pick up some tools yourself.
You'll be able to source these from your garage or your local pharmacy.
Next slide.
Chemical attacks.
Most of this would involve the use of solvents to attack the glue or the binding agent or the material itself.
Using these, you could, for example, undo glue wristbands without damaging the paper.
It is binding together.
For this mission, we recommend that you prepare at least acetone and methylated spirits with other solvents and reagents as available.
Physical attacks.
The use of physical force to manipulate or attack the binding or container or glue and glue to put things together.
An example is to use a knife to pry things open or to cut the seals away from a container and then to be joined back together with superglue.
For this mission, we anticipate that you'll need your standard issued multi-tool and superglue.
Next slide.
Temperature attacks.
Taking advantage of how materials behave, we can use either heat or cold to manipulate the seal or the container to our advantage.
An example is to use cold to cleanly shatter or break a seal by taking advantage of the different rates of contraction.
For this mission, you'll need a secret lighter with you.
Next slide.
Other useful tools you'll need to facilitate your attacks include needles, specifically insulin needles if you can acquire them, a good electronics toolkit to help you undo those pesky security screws, and clear nail polish for Objective Charlie.
Did we lose the slide deck?
Yes, we did lose the slide deck. One moment, please.
They're working on it right now. Give them a second.
And it looks like we are back. Alrighty, so let's continue the briefing.
All right. As I was saying, you'll need a good electronics toolkit to undo those pesky security screws and clear nail polish for Objective Charlie.
Next slide, please.
So let's just jump right into preparations for your mission.
For Objective Alpha, to retrieve the encryption key, how would you retrieve the code within this without any obvious signs of tampering?
Audience, anyone wants to give it a shot? Thoughts? Feel free to just yell out.
Sorry?
Steam.
I can barely hear anyone. I can see you.
Steam.
Steam?
Yeah, they're saying steam.
Yep, that's one way. Anyone else?
You could try shining a light through it and see if you can read it without opening it.
That's a very good attempt. Let's just say for the purposes of this scenario, it's using really thick stock paper.
Say, you know, 200 grams stock paper that you can't read through. So yeah, how else?
Just a bit of note with regards to steam. Steam can stain the paper and can leave water residue marks.
So you'd want to avoid using steam in this situation.
You could apply heat to the adhesive and see if it comes open.
Sorry, I could barely hear that.
Apply heat to the adhesive.
Yeah, you could try that, but that would probably mark the paper as it would turn brown with heat.
Could you slice one end open?
Sorry?
Could you slice one side open and then seal it back up?
Yes, that is definitely possible. And that's a relatively good approach, as long as the sealing back up is not obvious.
All right, let's just...
So one of the things that you could do is to, well, if there is a bit of a gap, you could just try to get the paper out.
Or otherwise use a liberal amount of methylated spirits or any of the solvents to get the glue soft.
And it should just fold right open with no visible residue.
Because it is... methylated spirits evaporate, at least behind no visible signs of tempering.
I think the slides died again.
And... boom.
Yes, cool.
Yeah, so... and open.
Can we just stay? Yeah, cool.
It softens up the glue, allowing you to open it with no visible residue.
Now, next slide.
Thank you.
For a bit of bravo.
Retrieve the USB from the temper evident pack.
How would you retrieve the USB without any signs of de-tempering?
Okay, cool.
Am I coming through okay?
No? Slides down?
Slides down?
Slides working.
We can see them.
What's...
We can see the slides, but your audio is cutting in and out.
Oh, okay. Let me just try the audio thing again. Sorry about that.
Audio works now?
Yes? No?
Better? Okay.
Joy, better software on better software. Fun.
Okay, so let's go to this.
Since we have kind of like revealed the slide.
So how would we do this?
If we go to the next slide. Yeah, the slide.
So we could use solvents to soften the glue like the previous objective.
However, with the temper evidence bags,
it is sometimes a hit or miss whether the solvent will dissolve the ink itself on the seal,
thus revealing that the bag has been tempered.
So a safer approach is to carefully slice the sides of the bag
and use a heated blade to reseal the bag once the drive has been removed, copied, and replaced it back in.
Next slide, please.
It's the one with the glitter nail polish.
Next slide.
Am I cutting out again?
No, we can hear you.
Okay, cool.
Okay.
Sorry.
Could we go to the slide with the glitter nail polish slide 19?
Where are we at?
Good job.
How much?
Good job.
Yeah.
Slide 19.
Let me see if I can get the edge plug in.
Yep, not a problem.
Looks like we are having technical difficulties.
Hopefully your machine will be a bit smoother than this.
Technology.
You need to save your documents.
Here we go.
Did everybody pray to the demo gods today?
Let's start.
Oh, there you go.
Fantastic. Looks like we are back.
So, continuing with objective Charlie, it takes a bit more effort than our previous objectives to complete.
But removing glitter nail polish directly on the screw is certainly something possible after this briefing.
Next slide, please.
We'll need to put together all our previous techniques to successfully accomplish this objective.
So, how do we do it?
Next slide.
This is on the right track.
We'll take advantage of any of these weaknesses as available to make our task easier.
Next slide.
Alright, let's jump right into it.
First, start by carefully observing the nail polish.
Next slide.
So, what is the challenge here?
Well, it is that the nail polish strongly binds to the screw and the laptop.
It is believed that the only way to remove the glitter nail polish is to remove all the nail polish and replace it with a new coat.
The glitter's arrangement makes it practically impossible to replicate, thus observable that it has been tempered with.
Well, what if that assumption isn't quite true?
Next slide, please.
The goal here is that Doctor Road does not notice their laptop has been tempered with.
That means, by casual visual inspection, they should not notice any damage to the seals.
However, as an additional precaution, the glitter pattern should also match any photographs they would have taken of it.
Next slide, please.
So, the hack here.
The nail polish applied would have some height to it, no matter how thin.
The top half, shown in red on the diagram, is more visible, thus more important.
The bottom half, shown in green, is less visible, thus some damage can be done to this layer without it being visible upon inspection.
So, taking advantage of this, our attack will be on the bottom layer, preserving the top so that it is visually untouched.
Next slide, please.
With that, let's jump into the process.
Step one, well, start by taking pictures of the seal.
This will be your references, and crucial for ensuring you are able to put the seal back together in a visually similar manner.
Get close. The clearer your pictures, the easier it is to work with later.
But also keep track which picture belongs to which crew.
Next slide.
Next, start by picking a single screw to work on.
Then, as targeted as possible, heat up the surface of the laptop near the nail polish.
The different rates of material expansion should help slightly peel off the edge of the nail polish block.
If you can find some leverage around the nail polish, without damaging it, you may not need this step.
Remember, take it slow and careful, and be very careful with it as you do not want to damage the nail polish coat, especially the thinner outer edges.
Using the sharpest knife or blade that you have...
Next slide.
Thank you.
Using the sharpest knife or blade that you have, attempt to slowly lift a thin portion of the film up.
While doing that...
Next slide.
Next slide, please.
Slide 29, please.
Yeah, cool. Thank you.
Add tiny bits of acetone, using an insulin syringe, to the edge where your blade meets the nail polish, to help dissolve a thin layer of the nail polish.
Caution, do not add too much, as it may take away more nail polish than you want.
Next slide.
Well, repeat steps 2 to 4, a tiny gentle bit at a time, until you get the whole top off.
Patience and being delicate is important, do not rush it.
Don't worry about the nail polish in the screw itself.
Go ahead and use acetone to clear off enough so that you can get a screwdriver in there to remove the screw.
Now, repeat this for all the screws.
This process may take a while. It took about 30 minutes per screw.
The last I did this.
Next slide, please.
Plant the bug anywhere near the CPU would be fine.
Remember to secure it down. A dab of super glue or clear nail polish to hold it down will do nicely.
Now, put it all back together, screw in all the screws, and then we move on to putting back the glitter nail polish on top.
Capping off the screws.
Next slide.
To begin our reassembly process, begin by placing a very thin layer of clear nail polish on the screw itself.
Remember to fill the gaps on the head of the screw so that it is a nice flat surface.
Be careful not to use too much or to cover more space than the initial nail polish originally did.
You might find the use of a toothpick or syringe helpful to control the amount of clear nail polish that you use.
Next slide.
Using the photo reference that you have taken, carefully align and place the original glitter nail polish film back onto the screw.
A steady hand is important here.
Take the time to carefully align it back to as it was.
Be careful that there is no excess clear nail polish that overflows the original blob's boundary.
One tip, as long as you match your reference photo and the film does not detach from casual handling, it will likely be in the clear.
Doctoral and most would have taken photos or more likely just observed it if there is damage done to the seal.
When we first accomplished this in 2018, there was the use of a computer vision software matching against a reference image that we had to bypass.
But we do not expect Doctoral to have such technology at their disposal and would likely just simply inspect them visually.
Do this to all the seals that you have removed and with some practice, this could be done quite quickly.
Next slide please.
Well, congratulations. Now, get out of there and get back to safety.
That's it for the mission briefing. Mission commences at 0200 Zulu. Godspeed.
Next slide.
Next slide.
Some special thanks and congratulations to the various giants that have made this possible.
Next slide.
For the DEF CON 19 seminal talk that helped form the foundations of my knowledge. Next slide.
To the awesome kids, Moss and Boo, for being such great sports and sharing their knowledge to get me started and for writing heaps about tamper-evident bypasses.
Next slide.
And the seminal talk that introduced the glitter-near-polish approach.
The CCC talk that introduced the glitter-near-polish approach. Next slide.
And many, many others, including DCG VR for the opportunity to speak and many others.
Next slide.
And thank you for listening to this short story.
Questions?
Hopefully I can hear you.
Sorry, where did that voice come from?
Hi.
So, with the amount that you use, it's almost not perceptible.
Because at the end of the day, you're just using a small little drip of it.
So, yeah.
I mean, the other thing is...
Who sniffs it?
So, yeah, there's that.
So, practically, you just look at it and you go, hey, looks fine. It's all right.
And then just move on.
Quick question.
How reproducible is this?
Like, what are the chances of success if it needs to be done?
If the threat actors attempted to do this on a regular basis.
You know.
Reproducible enough.
So, yeah.
It's reproducible enough.
With enough practice.
I initially didn't plan to do this talk because I just thought it was, well, meh.
And it was kind of like a known thing.
So, yeah. Reproducible enough, I guess.
I just didn't have the time to create off tiny bits at a time in a live demo.
But, yeah.
Oh, sure, sure.
So, I guess my question is, you know, if you had a hundred laptops in a row, right?
How many of them would notice tampering by the time you were done?
The chances of you screwing it up or maybe it should be snatched in half or something like that?
I mean, like, you wouldn't do this on a bulk surveillance scale.
You'd probably be, you know, an evil maid attack.
And that's why the context of this story, I put it within that context of an evil maid attack.
Because it takes way too long to do this from a bulk surveillance perspective.
I mean, you could hire a whole bunch of people, but, you know, that's also a very big logistical operation.
So, this is more of a targeted clandestine operation type attack?
Yeah, that would be my take on it.
Now, what's interesting is, until this presentation, I had not heard of any valid, confirmed valid attack on the glitter nail polish methodology.
I'd heard rumors, but I hadn't actually heard of an actual successful attack.
So, ladies and gentlemen, you've just witnessed a zero day. Congratulations.
I guess we drink.
So, I guess the tradition of dropping oldies at DEF CON lives on.
And even at the virtual DEF CON, we have them. So, that's excellent.
Yeah, from across the globe.
Questions? Yeah, from Melbourne.
I'm getting better at pronouncing that.
Are there any more questions for our speakers?
No? All righty, then.
Not really a question, just a comment.
It's interesting. I've never really heard of the nail polish approach until about, I want to say, a week or two ago, when one of my buddies or another security group was giving a talk about it.
So, it was really interesting to see a bypass for this approach.
So, thank you for that.
Yeah, I mean, to be honest, it appeared on Hacker News and stuff that the attack is still viable.
And I'm like, yeah, okay, we should probably do a talk about it, since it's not known that there is an actual attack for it.
So, here we are.
I actually just recently found out about the whole nail polish method through a Lifehacker article.
Just now.
Yeah.
Anyway.
And it's crazy how all this happens.
Yeah.
And also, full disclaimer, this is fictional.
This is fictional story.
Yeah, fictional story, but the hack is actually real, so that's kind of cool.
Yeah.
All righty.
I will give back the microphones to the MC.
Here, X-Ray.
Thank you, HoodiePony.
We appreciate your presentation.
I really wanted to see this one when I saw the write-up submitted.
This is on my hot list of seeing.
Our next speaker is going to be here in about 30 minutes.
It was supposed to be Shelter.
He's disappeared.
We haven't heard from him.
So, we don't know.
As far as I know, unless he shows up at the last minute, he's not going to be speaking.
Our next presenter will be SidePocket.
So, that's looking good so far.
So, take a break.
Come back in about 30 minutes.