Don’t Want Your Laptop Tampered With?

If you’re traveling overseas, across borders or anywhere you’re afraid your laptop or other equipment might be tampered with or examined, you’ve got a new secret weapon to improve security. Glitter nail polish.

Don’t laugh. It works.

Security researchers Eric Michaud and Ryan Lackey, making a presentation at the Chaos Communication Congress on Monday, highlighted the power of nail polish – along with metallic paints and even crappy stickers – to help people know when their machines have been physically tampered with and potentially compromised.

“Government agencies have so much money, they can build their own custom procedures,” said Ryan Lackey, founder of the CryptoSeal VPN service. “But if you’re a private person who travels to a country to do work, you have to take your stuff.”

Physical tampering with machines, whether by governments, corporate competitors or data thieves looking for bounty, is a growing problem. Businesspeople traveling to China in particular have reported problems with data theft and hardware tampering. While drive encryption, strong passwords and software-based measures might keep causal thieves out, traveling offers many ways for prying eyes to physically compromise a laptop, Lackey and Michaud noted. Border areas can be especially dangerous, as authorities can confiscate a laptop or cell phone to “examine” it, then return it with the drives imaged or malware installed. Once at a destination, many travelers lack the option to carry their laptop at all times. This raises the risk of attackers breaking into a hotel room to steal data or compromise machines.

Short of keeping a machine with you 24/7, there is little you can do to be absolutely sure these things don’t happen, the researchers said. If there is a serious question, they advise against traveling with sensitive data and wiping or simply discarding potentially compromised devices upon returning home. But those extreme measures don’t help you while you’re actually on the road, making it critical to know if your machine has been compromised.

Some travelers affix tamper-proof seals over ports or chassis screws. But these seals can in fact be replicated or opened cleanly in minutes by anyone with even minimal training, Michaud and Lackey said. They instead advise borrowing a technique from astronomers called blink comparison. Here’s where the glitter comes in.

The idea is to create a seal that is impossible to copy. Glitter nail polish, once applied, has what effectively is a random pattern. Once painted over screws or onto stickers placed over ports, it is difficult to replicate once broken. However, reapplication of a similar-looking blob (or paint stripe, or crappy sticker) might be enough to fool the human eye. To be sure, the experts recommend taking a picture of the laptop with the seals applied before leaving it alone, taking another photo upon returning and using a software program to shift rapidly between the two images to compare them. Even very small differences – a screw that is in a very slightly different position, or glitter nail polish that has a very slightly different pattern of sparkle – will be evident. Astronomers use this technique to detect small changes in the night sky.

By taking the picture with a cellphone that is kept with you at all times, you can be reasonably sure the original picture hasn’t been tampered with or replaced. In order to guard against typical user forgetfulness, the experts recommend using a two-stage remote verification system. Such a tool would require that two pictures match exactly, for example, before allowing the user to log in to a potentially vulnerable system such as a VPN.

“This makes it non-skippable by users,” said Michaud, CEO of Rift Recon. “If the user doesn’t do the check, it doesn’t work.”

The pair said they will within a few months release an inexpensive tool that will support this two-step verification system. Such machine-assisted verification was necessary to help travelers overcome their own mistakes, they argued.

“Users are lazy,” Michaud said. “It’s really unlikely that we’re going to build a system based on users making the correct security decisions all the time.”