 Well, hello everyone. I'm X-Ray. I'm your host for today. Welcome to DEF CON 30s, Alt Space VR Groups Village. So our speaker, our next speaker is Hoodie Pony, who hails from Australia. And his talk is going to be on glitter nail polish versus the evil maid. Story, spoiler, the maid wins. In 2018, Hoodie Pony bypassed a tamper of an enceal was deemed impossible by the CTF organizers. The glitter nail polish on screws and won the CTF. Just another nude nerd of figuring out how things work by breaking things and challenging assumptions, sharing a story. Just another member of DEF CON Group 11613 in, I'll pronounce this correctly, Melbourne, Australia. So welcome Hoodie Pony. All right, there you go. Okay, let's see if all of the technology will work. Thank you, thank you. Can you hear me? All right. Sounds good. All right. All right. Good agents. Thank you for being here on such short notice. I'm Hoodie Pony, here for your mission briefing today. Actually, next slide. It's been a long day and this mission is time-sensitive, so we'll be brief. Next slide. According to our intelligence reports, a person of significant interest, Dr. Rowe, will be presenting at DEF CON 30 tomorrow. The homecoming of the hacker, anarchist and anti-corporal community with journalists and intelligence organizations from across the globe in attendance. We've been informed in their highly anticipated redacted talk, they will be releasing data that is of significant copper interest. We need that information before it is released. It could be an existential threat to our organization. We have identified that Dr. Rowe will be staying at the Plaza Hotel and your mission is to retrieve a copy of the data, the encryption key for that data, and place a bug inside their laptop. So, well, we can keep, continue to keep an eye on things of importance. We understand that Dr. Rowe has deployed temporal evidence seals and techniques protecting these targets. They also have a dead man switch on your person that will release that information immediately to potentially hostile parties should our tempering be discovered. It is very important that our actions are not discovered. Next slide, please. But how you might ask? Well, that's a pretty good question. We believe that Dr. Rowe will be leaving for dinner with a few friends later this evening and will be attending a few of those sponsored parties that are so famously known for that would be our opportunity to act. We've prepared for you to enter as the housekeeping staff at the Plaza Hotel. We believe that next slide, please. We believe that Dr. Rowe will leave the targeted items in the room. You have a few hours to act before they return. Next slide. You have three objectives. All these objectives must be accomplished without any signs of tempering or signs that these items have been disturbed. Don't worry about it being forensically clean. We just need to make sure that Dr. Rowe doesn't notice it before their presentation tomorrow. The object is from left to right. Objective Alpha, retrieve a copy of the encryption key in a sealed envelope. There should be a folded paper with the encryption key written on it. Simply take a photo of that key and return the target to its original state. Next. Objective Brav. Retrieve a copy of the data from the encrypted USB that would be sealed inside the TempoEvident bag. Objective Charlie. Plant a signal intercept bar in Dr. Rowe's laptop. Dr. Rowe's previous actions. We know that Dr. Rowe will take precautions by using Gluttonial Polish directly on their laptop to protect it against tempering. Next slide. We understand that the objective, sorry, one slide back. Thank you. Previous slide. Yay. Awesome. We understand that objective Charlie can be most challenging. Some say it is mission impossible, as it is widely believed that there are no known bypass. Next slide. Not quite. We've had it 30 since 2018 and we'll be reading you in on the TTPs with this mission briefing to ensure your success. As always, all of these are strictly classified and protected by the initial agreement with us during your employment contract. Let us first start with the basics. Keep in mind that we are only interested in bypassing the seals in a way that will not be detected by casual human visual inspection. There are three common attacks, types to bypass the TempoEvident seals. Chemical, physical and temperature attacks. Next slide, please. Next slide. Yeah, okay. Cool. Thank you. We'll dig deeper into the common attacks as we talk about your loadout. Upon arrival at a Plaza hotel, an asset will provide you with a cleaner's cart and appropriate uniform. But due to the constraint timelines, you'll have to improvise. You need to pick up some tools yourself. You'll be able to source these from your garage or your local pharmacy. Next slide. Chemical attacks. Most of this would involve the use of solvents to attack the glue or the binding agent or the material itself. Using these, you could, for example, undo glue wristbands without damaging the paper. It is binding together. For this mission, we recommend that you prepare at least acetone and methylated spirits with other solvents and reagents as available. Physical attacks, the use of physical force to manipulate or attack the binding or container or glue and glue to put things together. An example is to use a knife to pry things open or to cut the seals away from a container and then to be joined back together with superglue. For this mission, we anticipate that you'll need your standard issued multi-tool and superglue. Next slide. Temperature attacks. Taking advantage of how materials behave, we can use either heat or cold to manipulate the seal or the container to our advantage. An example is to use cold to cleanly shatter or break a seal by taking advantage of the different rates of contraction. For this mission, you'll need a secret lighter with you. Next slide. Other useful tools you'll need to facilitate your attacks include needles, specifically insulin needles if you can acquire them. A good electronics toolkit to help you undo those pesky security screws and clear near polish for Objective Charlie. Did we lose the slide deck? Yes, we did lose the slide deck. One moment, please. And it looks like we are back. Alrighty, so let's continue the briefing. Alright, as I was saying, you'll need a good electronics toolkit to undo those pesky security screws and clear near polish for Objective Charlie. Next slide, please. So let's just jump right into preparations for your mission. For Objective Alpha to retrieve the encryption key. How would you retrieve the code within this without any obvious signs of tampering? Audience? Anyone wants to give it a shot? Thoughts? Feel free to just yell out. Steam. Sorry? Steam. I can barely hear anyone. I can see you dig your steam steam. Yeah, they're saying steam. Yep, that's that's one way. Anyone else? Could you try shining a light through it and see if you can read it without opening it? That's a that's a very good attempt. Let's just say for the purposes of this this scenario, it's using really thick stock paper, say, you know, it 200 grams stock paper that you can't read through. So yeah, how else? Just a bit of note with regards to steam. Steam can stain the paper and can leave residue water residue marks. So you'd want to avoid using steam in this situation. Could apply heat to the adhesive and see if it comes open. Sorry, I could barely hear that. Apply heat to the adhesive. Yeah, you could try that, but that would probably mark the paper as it would turn brown with heat. Could you slice one end open and then seal it up? Sorry. Could you slice one side open and then seal it back up? Yes, that is definitely possible. And that's a relatively good approach. As long as the the sealing back up is not obvious. All right, let's just say one of the things that you could do is to, well, if there is a bit of a gap, you could just try to get the paper out. Or otherwise use a liberal amount of methylated spirits or any of the solvents to get the glue soft. And it should just fall right open with no visible residue, because it is methylated spirits evaporate, at least behind no known, no visible signs of tempering. I think the slights died again. Yes. Cool. Yeah. So, and we just stay cool. So, so soft, the glue allowed you to open it with no dispersion. Now, next slide. Thank you. For a big bravo, Rich, the U.S.B. on the time to have the internet. How would you reach the U.S.B. without the virus of tempering? Am I coming? Okay. No, it's, um, it's down. It's like working. No, we can, we can see that. What's We can see the slide, but you're okay. Okay. Let me let me just try the audio thing in. Sorry about that. Audio works now. Yes, no. Yeah, better. Okay. Joy, better software on better software. Fun. Okay, so let's go to this. Since we've kind of like revealed the slide. So how would we do this? If we go to the next slide, yeah, this slide. So we could use solvents to soften the glue like the previous objective. However, with the tempering bags, it is sometimes a hit or miss whether the solvent will dissolve the ink itself on the seal, thus revealing that the bag has been tempered. So a safer approach is to carefully slice the sides of the bag and use a heated blade to reseal the bag once the drive has been removed, copied and replaced it back in. Next slide, please. It's the one of the Glitenail Polish. Next slide. Am I cutting out again? Oh, we can hear you. Okay, cool. Okay. Sorry. Can we go to the slide with the Glitenail Polish slide in 19? Where are we at? Yeah. Slide 19. Let me see if I can get the edge plug in. Yep, not a problem. Looks like we are having technical difficulties. Hopefully your mission will be a bit smoother than this. Technology. Fantastic, looks like we're back. So continuing with objective Charlie, it takes a bit more, a bit more effort than our previous objectives to complete. But removing Glitenail Polish directly on the screw is certainly something possible after this briefing. Next slide, please. We'll need to put together all our previous techniques to successfully accomplish this objective. So how do we do it? Next slide. This is on the right track. We'll take advantage of any of these weaknesses as available to make our task easier. Next slide. Let's jump right into it. First start by carefully observing the nail polish. Next slide. So what is the challenge here? Well, it is that the nail polish strongly binds to the screw and the surface, the laptop. It is believed that the only way to remove the Glitenail Polish is to remove all the nail polish and replace it with a new coat. The glitters arrangement makes it practically impossible to replicate. First, observable that it has been tempered with. Well, what if that assumption isn't quite true? Next slide, please. The goal here is that Dr. Rowe does not notice their laptop has been tempered with. That means by casual visual inspection, they should not notice any damage to the seals. However, as an additional precaution, the glitter pattern should also match any photographs they would have taken of it. Next slide, please. So the hack here. The nail polish applied would have some height to it, no matter how thin. The top half shown in red on the diagram is more visible, thus more important. The bottom half shown in green is less visible, thus some damage can be done to this layer without it being visible upon inspection. So taking advantage of this, our attack will be on the bottom layer preserving the top so that it is visually untouched. Next slide, please. With that, let's jump into the process. Step one. Well, start by taking pictures of the seal. This will be your references and crucial for ensuring you are able to put the seal back together in a visually similar manner. Get close, the clearer your pictures, the easier it is to work with later. But also keep track which picture belongs to which screw. Next slide. Next, start by picking a single screw to work on. Then, as targeted as possible, heat up the surface of the laptop near the nail polish. The different rates of material extension should help slightly peel off the age of the nail polish block. If you can find some leverage around the nail polish without damaging it, you may not need this step. Remember, take it slow and careful and be very careful with it as you do not want to damage the nail polish coat, especially the thinner outer edges. Using the sharpest knife or blade that you have. Next slide. Yeah, thank you. Using the sharpest knife or blade that you have, attempt to slowly lift a tin portion of the film up while doing that. Next slide. Next slide, please. Slide 29, please. Yeah, cool. Thank you. Add tiny beads of acetone using an insulin strange to the age where your blade meets the nail polish to help dissolve a tin layer of the nail polish. Caution, do not add too much as it may take away more nail polish than you want. Next slide. Well, repeat steps two to four, a tiny gentle bit at a time until you get the whole top off. Patience and being delicate is important. Do not rush it. Don't worry about the nail polish in the screw itself. Go ahead and use acetone to clear off enough so that you can get a screwdriver in there to remove the screw. Now, repeat this for all the screws. This process may take a while. It took about 30 minutes per screw. The last I did this. Next slide, please. Plant a bug anywhere near the CPU would be fine. Remember to secure it down. A dab of superglue or clear nail polish to hold it down will do nicely. Now put it all back together screw in all the screws. And then we move on to putting back the glitter nail polish on top, capping off the screws. Next slide. To begin a reassembly process, begin by placing a very tin layer of nail clear nail polish on the screw itself. Remember to feel the gaps on the head of the screw so that it is a nice flat surface. Be careful not to use too much to or to cover more space than the initial nail polish originally did. You might find the use of a toothpick or strange helpful to control the amount of clear nail polish that you use. Next slide. Using the photo reference that you have taken, carefully align and place the original glitter nail polish film back onto the screw. A steady hand is important here. Take the time to carefully align it back to as it was. Be careful that there is no excess clear nail polish that overflows the original blob's boundary. Want it? As long as you match a reference photo and the film does not detach from casual handling, it likely be in the clear. Dr. O and most would have taken photos or more likely just observed it if there is damage done to the seal. When we first accomplished this in 2018, there was the use of a computer vision software matching against a reference image that we had to bypass, but we do not expect Dr. O to have such technology at their disposal and would likely just simply inspect them visually. Do this to all the seals that you've removed and with some practice, this could be done quite quickly. Next slide, please. Well, congratulations. Now, get out of there and get back to safety. That's it for the mission briefing. Mission commences at 0200 Zulu. Godspeed. Next slide. Next slide. Some special thanks. Some special thanks and contributions to the various giants that have made this possible. Next slide. For the DEF CON 19 seminal top that helped form the foundations of my knowledge. Next slide. To the awesome kids, Moss and Boo for being such great sports and sharing their knowledge to get me started and for writing heaps about temporary bypasses. Next slide. And the seminal talk that introduced the Glitter Neopolish approach. The CCC talk that introduced the Glitter Neopolish approach. Next slide. And many, many others, including DCG VR for the opportunity to speak. And many others. Next slide. And thank you for listening to this short story. Questions. Yeah, you. Sorry, where did that voice come from? Hi. So with the with the amount that you use, it's almost not perceptible. Because at the end of the day, you're just using a small little drip of it. So yeah, I mean, the other thing is who sniffs it. So yeah, there's that. So practically, you just look at it, and oh, hey, looks fine. It's all right. And then just move on. Mm hmm. How reproducible is this? Like, what are the chances of success that needs to be done? If for that, please attempt to do this on a regular basis. You know, reproducible enough. So yeah, it's reproducible enough with enough practice. I, I initially didn't plan to do this talk because I just thought it was, well, meh. And it was kind of like a known thing. So yeah, reproducible enough, I guess. I just didn't have the time to and even like, off tiny bits at a time in a live demo. But yeah, sure, sure. Yeah, so I guess my question is laptops in a row, right? How many of them would notice tampering by the time you were done? The chance to be screwing it up? Or maybe it should be half or something like that? I mean, like you wouldn't do this on a belt surveillance skill, you'd probably be, you know, an evil made attack. And that's why the context of this story, I put it within that context of an evil made attack because it takes way too long to do this from a box surveillance perspective. I mean, you could hire a whole bunch of people, but you know, that's also a very big logistical operation. So this is more of a targeted clandestine operation type attack. Yeah, that would be my take on it. Now, what's interesting is until this presentation, I had not heard of any valid confirmed valid attack on the glitter nail polish methodology. I'd heard rumors. I hadn't actually heard of an actual successful attack. So ladies and gentlemen, you just witness a zero day. Congratulations. I guess we drink. So I guess the tradition of dropping old days at DEF CON lives on. And even at the virtual DEF CON, we have them. So that's excellent. Yeah, from across the world. Any more questions? Yeah, from Melbourne. I'm getting better at pronouncing that. Any more questions for our speakers? No, all righty then. Not really questions. The comment is interesting. I've never really heard the nail polish promotion until about I want to say a week or two ago and one of my buddies or another security group was giving a talk about it. So it's really interesting to see like a kind of a bypass for this approach. So thank you for that. Yeah, I mean, to be honest, to be honest, like it appeared on hack and use and stuff that the attack is it's still viable. And I'm like, yeah, okay, should probably do a talk about it. Since it's not known that there is an actual attack for it. So here we are. I actually just recently found out about, you know, the whole like nail polish methods, real life hack or article just now. Yeah. Anyway, and it's like crazy how all this happens. Yeah. And also full disclaimer, this is a fictional. This is fictional story. Yeah, fictional story, but the hack is actually real. So that's that's kind of cool. Yeah. Alrighty, I will give back the microphones to the emcee here xray. Thank you, hoodie bunny. We appreciate your presentation. I really wanted to see this one when I saw the write up submitted. This is on my hot list of seeing our next speaker is going to be here in about 30 minutes. It was supposed to be shelter. He's disappeared. We haven't heard from him. So we don't know. As far as I know, he's once he shows up the last minute, he's not going to be speaking. Our next presenter will be side pocket. So that's looking good so far. So take a break. Come back in about 30 minutes.