 This is the tamper evident village at Defcon 30. And what's interesting is that another type of physical security bypass, isn't it? Yes. So at the tamper evident village, there's, I think of, when I think of tamper evidence, I think about like the zip ties around stuff, which are like one-way zip ties. And then these type of labels where when you rip them off, it leaves some of the, like a lot of it behind. Now that's being cardboard, I understand, it's a little different, kind of this residue behind. What is tamper evident? Like can you just kind of put a definition a little bit to it? Sure. So tamper evident is technology that is adjacent to locks. So locks are meant to keep people out of your thing for some period of time. Tamper evident is made to show that somebody tried to access your thing, whether it's a shipping package, an envelope, a safe, a shipping container, whatever it is, right? I think I even remember it didn't, like some of the old phones, for the hardware hacking village, I know like to void a warranty, for instance, you open it up and it might either rip a chip off or it just shows that, hey, you've voided the warranty by opening it. Most electronics have some form of adhesive seal. That's like a warranty sticker or something like that. And here you start finding, and within this village, you start finding vulnerabilities for these type of tamper evidence. And you have one of them, you're gonna show me a demo right now of how you would go about pulling off one of these pieces of tape. Let's jump in. What do I have to do to be able to pull this thing off? Okay, so there's lots of different ways to attack it. You can go with temperature, hot or cold. We're gonna use chemicals just cause it's easier and less likely for people to hurt themselves here at DEF CON. And lots of other things, but the goal is that if this is your package, when you get it on, you receive your package, it looks the same to you. You go, yes, there's no residue. The tape hasn't been damaged or ripped off or cut or anything like that. So I imagine like a practical application that we've seen be exploited as with like crypto wallets. Like the ledger crypto wallets, what happens is they take them, they open the package, they set a private key, they write it down, then they repackage it, put all the tamper evidence stuff back on, and then sell that. Yeah, it applies to anything, right? So if your company orders servers, right, they get shipped to you, what if somebody intercepts it, tamper's a package, affects your hardware, changes your firmware, whatever, right? So basically anything, mail, shipping, cargo related, can be tampered, right? And usually the goal is not theft, because if you're just gonna steal it and it's gonna be missing anyway, you just rip this off, right? So obviously chemistry's a big subject, but we're just using acetone on these tapes here. Acetone doesn't work for every single thing, but for the most part, it's a pretty decent, accessible solvent for most people. No, I'm a noob. For acetone, can anyone pick this up? Do you need a license? Where would you go picking this up if you wanted to learn some of this? So this is just, at least in the US, this is just hardware store acetone. It's pure acetone, like 90 plus percent pure. If you don't have access to that, you can also get it from drugstore as nail polish remover. The only downside to nail polish remover is that, number one, it's usually weaker. Number two, it usually has dyes or perfumes in it, which might affect your ability to tamper. You don't wanna leave like a blue circle or anything. Okay, so it's just like standard hardware. I can pick it up, Home Depot or something like that. So what we're gonna do is, by the way, I love how you say, hot or cold is dangerous at Defcon, yet you go ahead and you're like, one second, let me grab this needle out right now. Well, we used to use hypodermic needles. I actually prefer them, but we're using industrial needles, so you can't hurt yourself, at least not as easily. I'm propping it up just to help gravity do it. One of the advantages of cardboard is that you can, it's absorbent, so it'll soak up the solvent. But I'm just putting a little bit here. That was a lot. Yeah, you're at an awkward angle to get it on camera, so. Yeah, well, I'm doing the angle so that it flows down, so that when I start picking this up, it, the cardboard will soak up. Oh, wow, it works that fast? Oh yeah. And you'll notice this is still sticky, right? So this is still stuck to, thank you, to my tongue depressor here. And I'm using the tongue depressor so I don't mar the finish, or if you're working with your hands to not leave fingerprints. But it works pretty quick, and you'll notice this is sticky still. So I'm gonna let this soak for a second, but you'll see this is already evaporating. Yeah, so that, that was what I was just thinking is, would the water damage the box, or not water, but would the acetone damage the box, and I see it drying already? Yeah, for most cardboard and most acetone, it won't. If you use a lot, you might stress the fibers of the cardboard. Like think of like a paper that gets wet, it gets kind of wavy. But for the most part, it's fine. This board was just a random board we picked off the table, and it may have been done dozens of times over the weekend. That is incredible. I can't believe how fast it was. Yeah, you'll see it's already drying. I mean, if it was a giant box, you can just kind of wave it a little bit. Yeah, I mean, generally you open the package and then you're doing something with the contents for some period of time, photographing it, modifying it. It's like computer hardware or software kind of thing. I imagine with the tamper evidence stuff, also there's multiple attack paths. This one is removing it. The other one might be like buying more of that, like going, finding the manufacturer of that specific tape and say, okay, cool, I can just, I can remove it, but I can also put a new piece on. Exactly, so this specific piece of tape doesn't have any serial number. The lines are made so that if you cut it, it's very hard to realign the lines visually. Some of the others we flipped it up, but you can see there's a serial number on this one. So if you just try to replace this, in theory, the person should see, hey, my serial number changed. Just depends on, there's a person, no matter if it's adhesive or mechanical or electronic, there's a person in the loop that says, yes, that is good or not. So part of this is fighting technology, part of it is fighting the person, like if they don't check the serial number, then maybe you can get away with putting another one that looks the same. So at this point, it's dry. It's pretty much dry, yeah. Did that dissolve all of the, I guess, the glue on the thing? Speaking of which, sorry. You reminded me not to put your face down. You're on the piece of tape. So it actually doesn't dissolve the glue. What it does is it creates a buffer between the adhesive layer of the tape and the surface of, in this case, cardboard. So it basically causes it to float up off. So that's why it's still sticky. It doesn't dissolve the tape. Maybe over, like, if we tamper this, like 50 times or a couple times. Yeah, in theory, true attack, you're only doing it once in the village. You're doing it over and over. Exactly. So again, like this board, who knows how many times. So we open it up, we modify hardware, we put it back. Are we able to just stick it right back on? Yeah, it's sticky right now. So now that it's dry, and professionally we would take a photo and measure this and put it back in the same spot, but it doesn't matter. To get it off the last little bit, we're just gonna take a little bit of acetone. It's amazing it's even stuck to that. Give that a second to dry. But it's back to what it was. This is so cool. I know I say this for so many videos, but this legitimately is so cool. I have, this is the first time I've experienced this. This is awesome. Thank you. If someone wants to research more, I guess this is the question. If you wanna research more about this, where would they go? Is there a forum? Is there a DEF CON forum they can look at? Not really. So I give a talk about it at some number of DEF CON I don't remember a while ago. What's your handle? Someone wants to look at it. I'm Datagram, by the way. Hi. There's not really a lot of info on it. You can find some scattered YouTube videos of people doing individual tapes or individual mechanical seals. There's really not a lot of info. I wanted to troll and say tamperwiki.com because it's a website I made a long time ago that I never did anything with that people are really upset that I haven't filled out information for. But yeah, sorry, there's not a lot of info. There's some talks. Like I said, my talk from Black Hat DEF CON. Or come to DEF CON. Or come to DEF CON, yeah. And figure it out. Thank you so much. Thanks for watching. And as always, hack on.