No announcement yet.

How to play in the Tamper Evident Contest - RULES

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to play in the Tamper Evident Contest - RULES

    First off, thanks for being interested in playing my contest!

    Here are links to what has happened the past two years:
    DEF CON 19
    DEF CON 18

    How to play:
    • Read this post and decide if you want to play or help run the contest
    • Register in the forum thread for sign ups if you want to play.
    • Show up to DEF CON 20 with all your gear and tools to attack!
    • Grab the package.
    • Win!

    I have always been interested in the concept of tamper evident and tamper proof packaging and seals. For the past couple of years I have been running a Tamper Evident (TE) contest at DEF CON, and you are invited to play if there are still spaces left. Because of the cost of the gear, time to build, etc, I limited total number of teams. If too many want to play I -might- expand the size of the contest. This will be the third year of the contest and so there is starting to be some built up community knowledge about defeating TE items. It is now popular at other hacker cons, and I feel really good that this idea has caught on so well. For this year I will up the game a little bit in level one.

    With physical games like LosT's Mystery Box Challenge, the Hardware Hacking Village, and the Lock Pick Village really taking off it is now or never! Jump in!


    LONESTAR or TEAM?: You can register as an individual, or as a team of unlimited size for the first year. This is to get people playing. Next year the teams will be restricted to a max size of three. So decide (Individual|Team)
    UNLIMITED or MCGUYVER?: You can register in the unlimited category to use unlimited tools and gear. Got an X-Ray machine? Why not! Or you can register in McGuyver level where you have to use commonly found items. (Unlimited|McGuyver)

    There are various tamper evident technologies out there, including tape, seals, locks, tags, and bags, to name a few. This contest will test your ability to perform "defeats" (Described below) against a range of inexpensive commercial low to medium security products. I will list the exact products I am buying so you can go buy them as well to practice in advance if you want to.

    You will receive points for succeeding, no points for failing, negative points for not trying to defeat or skipping an item. Extra points are awarded for completeness of documentation. The more unique your exploits are the better. In the case of a tie in points, whoever turned in their results first wins.

    Different levels of defeats are worth different points. We will use the LANL Defeat Categorization Scheme to describe them:
    • [1]Type 1 defeat = 1 points
      [2]Type 2a defeat = 2 points
      [3]Type 2b defeat = 4 points
      [4](Type 3 defeat = 6 points) - Treated as 2b because we don't have the gear to detect a level 3 defeat
    • Failing to attempt a defeat earns you negative 2 points (-2)

    A component of the contest will require documentation of how you did your break, pictures or video, so the knowledge can be spread and others can learn what does and does not work. In the end we can all make better informed decisions about what we can or can't trust!

    The documentation that you need to write on each defeat is straight out of the first .pdf below, but we will be using a limited subset of the "Reporting Findings" section. Specifically:
    A comprehensive vulnerability assessment report should consist of the following 5 items:
    1. A detailed description of the successful attacks. For each attack the following information should be provided:
    • Is the attack theoretical, partially demonstrated, fully demonstrated but not perfected, or practiced to perfection?
    • What are the cost, time, and effort to devise and demonstrate the attack?
    • What time is required on-site to do the attack?
    • How much time is required for the attack to become activated, which may differ from the time to do the attack? (It may, for example, take some time for the epoxy used in a particular attack to fully cure.)
    • What time is required for off-site preparation? (The British Standard permits off-site, pre-test preparation,
    but does not apply time constraints [11].)
    • What personnel, skills, technical sophistication, and costs are necessary to complete the attack?
    • How many times and for how long must the adversary have on-site access to the seal?
    • What is the size, weight, cost, and nature of the tools and materials that must be brought on-site for the attack?
    • What is the level of defeat? (See the next section.)
    • Is inside information necessary for the attack, or just what is publicly available?
    2. Sample(s) of the defeated seal should be provided if practical and appropriate.
    The more you break and document the more points you earn. The Individual and team that gets the most points, wins!

    When you get to con you will be given a package. This package will have tamper evident seals on it. Some of these products claim to be "Impossible to reseal or reuse". Your goal is to prove them wrong and document your work every step of the way. Open the box and tamper with its contents. Inside you will find two chains. One of the chains is just a plain chain, the other chain will have some tamper evident tags and such on it. You will have until noon on Sunday of con to move as many of these seals and tags from one chain to the other without your tampering being detected. Oh, and open the box and deal with anything else you may find in there.

    There should only be about five or six tags this first year, I will edit this post and exactly describe what they are and where you can buy them in advance. I will also have spares at the con that you can practice against. Be warned this is not everything, but it is the majority of what you will run into.

    We will list a few more contest details, dis-qualifiers, rules, and registration information soon.

    Here is a list of Links & papers to get you started becoming familiar with what I have found on this subject. No details on how to actually do a break? Yeah, now you see why I am interested! Let's go all OSS on this problem. If you find other documents or references please post it in the Tamper Evident Research thread and I will include them in the post by editing it.

    Definitions to use when talking about tamper evidence

    .pdf documents:
    Read this first paper, Effective Vulnerability Assessment of Tamper-Indicating Seals, because it will describe the definitions of the defeats, as well as the vulnerability assessment you must write up for each seal you manage to defeat.

    From the first .pdf, here is a quote describing the different defeats for those of you curious, but not curious enough to download and read it.

    Under the LANL scheme, we classify successful attacks into four categories: type 1, 2a, 2b, or 3.
    In a type 1 defeat, tampering is not detected if the "usual" seal inspection process is followed. See figure 1.
    The usual process is that routinely or typically employed by the end-user. For most seals, this is the protocol recommended by the developer or manufacturer of the seal. A type 1 defeat, however, will be detected if unusual efforts are taken. For many seals, an example of an unusual inspection protocol would be to disassemble the seal and examined it in great detail to look for tampering.

    In a type 2a defeat, tampering is not detected if the usual inspection protocol is followed and if the user visually studies the exterior of the seal (plus any internal parts that can be seen without opening the seal) to look for evidence of entry. See figure 2a. The visual inspection can be done with either the naked eye or a hand-held magnifier.

    In a type 2b defeat, tampering is not detected if the usual inspection protocol is followed and if the user disassembles the seal and meticulously examines the interior and the exterior of the seal visually (with the naked eye or a hand-held magnifier) to look for evidence of entry. See figure 2b.

    In a type 3 defeat, tampering cannot be detected, even if the most advanced postmortem analysis is undertaken. See figure 3. State-of-the-art techniques in forensics, material science, or microscopy will not be able to tell that the seal has been defeated. Classifying a defeat as type 3 is problematic in that it is difficult to be absolutely certain that no technology anywhere in the world has the ability to detect the tampering. Despite this problem, we believe we have demonstrated a number of type 3 defeats at LANL [13].

    If a non-type 3 defeat is successful in a seal application where the "usual" inspection protocol automatically includes meticulous visual examination of the exterior or interior of the seal, the defeat is classified as 2a or 2b, respectively, rather than as a type 1 defeat.
    For this contest the "usual" seal inspection process will be that of cursory inspect held at arms length, to simulate someone walking by or casually looking at the seals while talking to someone else.

    In reality a type 3 defeat is essentially the same as a 2b defeat because we don't have all the advanced gear on site to determine the difference, and we now treat them the same for points.

    Sign up if you are interested by posting in the registration thread, or in the helper thread if you want to help me run this thing. I'll be quite busy, so I will need to rely on a core group of people to help me pull this off. We will need to build the boxes, document what is inside, and then deal with the check in and out of the boxes as well as evaluate the results.

    Thank you all, I hope to have a few players and some fun results this year!

    The Dark Tangent
    PGP Key: