How could a dab of glitter nail polish be helpful in the realm of laptop security?
According to security researchers Eric Michaud and Ryan Lackey, who presented at the Chaos Communication Congress earlier this week, it might not stop anyone from tampering with your device, but it could at least inform you if someone had their hands on it.
In their speech called “Thwarting Evil Maid Attacks,” the researchers detailed how users are increasingly exposed to threats on their hardware and software that could make private or business data and networks vulnerable.
A description of session posted to YouTube noted that victims can often include those who travel overseas.
“Victims include governments and corporations traveling internationally (e.g. China), anti-government activists in places like Syria, and anyone who is a target of a motivated attacker who can gain physical access,” the description read.
Admittedly, the talk itself focused on professional seals (stickers) and other techniques (like turning a screw on the device into a specific position) to help users verify if their device has been tampered with or not before going forward and accessing information that could be recorded by keyloggers or other threats.
The researchers suggest taking a picture of what the device looks like before a user leaves it, then taking another picture when he or she returns and performing a “blink test,” which would allow the user to easily spot differences that could indicate an attack.
The glitter nail polish or paint tip was mentioned in the Q&A session at the end of the session.
“[For] a good seal, you want something that’s easily frangible but is not going to break by accidental use,” Michaud said. “A good one to use is pearlescent paint or nail polish, put it on all your screws, take a photograph. Specifically ones that have a lot of glitter in it, because it’s going to be very difficult to replicate that.”
To clarify, if someone were to physically enter a device that had glitter over its screws, he or she would have a hard time replicating the same glitter pattern. A different pattern would indicate the device could be compromised.
The idea is to create a seal that is impossible to copy. Glitter nail polish, once applied, has what effectively is a random pattern. Once painted over screws or onto stickers placed over ports, it is difficult to replicate once broken. However, reapplication of a similar-looking blob (or paint stripe, or crappy sticker) might be enough to fool the human eye. To be sure, the experts recommend taking a picture of the laptop with the seals applied before leaving it alone, taking another photo upon returning and using a software program to shift rapidly between the two images to compare them. Even very small differences — a screw that is in a very slightly different position, or glitter nail polish that has a very slightly different pattern of sparkle — will be evident. Astronomers use this technique to detect small changes in the night sky.
By taking the picture with a cellphone that is kept with you at all times, you can be reasonably sure the original picture hasn’t been tampered with or replaced. In order to guard against typical user forgetfulness, the experts recommend using a two-stage remote verification system. Such a tool would require that two pictures match exactly, for example, before allowing the user to log in to a potentially vulnerable system such as a VPN.
Watch the researchers’ nearly hour-long speech about device security:
Clearly, glitter nail polish, or a similar technique, won’t prevent someone from breaking into your device or protect your data completely, but as Vice’s Motherboard put it, “it’s certainly better to know you’ve been hacked than to find out only after you’ve infected your whole network.”
Featured image via Shutterstock.