Tamper-evident preparation is the process of taking precautionary measures to make it possible to detect when something has been physically accessed by an adversary.
Tamper-evident preparation can be used:
- To detect if an adversary has accessed an electronic device during a covert house visit (in which case they may have installed malware on the device).
- To detect if an adversary has accessed a stash spot or safe house.
Examples of tamper-evident preparation techniques include:
- Applying nail polish to a laptop screws and taking pictures of the screws. Because nail polish has a complex pattern, it would be very difficult for an adversary to remove a screw without altering the pattern. Therefore, when you want to verify that the laptop has not been opened, you can take new pictures of the screws and compare them with the original pictures: if the nail polish patterns are identical, it means that the laptop has not been unscrewed.
- Immersing electronic devices in a transparent box filled with a mixture of small objects of different colors (for example, half black pebbles and half white pebbles) and taking pictures of the sides of the box. Because such a mixture has a complex pattern, it would be very difficult for an adversary to remove the electronic devices without altering the pattern. Therefore, when you need to remove the electronic devices from the box, you can take new pictures of the sides of the box and compare them with the original pictures: if the mixture patterns are identical, it means that the electronic devices have not been accessed. A systematic application of this technique is to ensure that an electronic device (e.g. a laptop) is always immersed in such a box when you're not near it.
See AnarSec's guide “Make Your Electronics Tamper-Evident”[1] on how to use tamper-evident preparation for electronic devices.
Techniques addressed by this mitigation
Name | Description | |
---|---|---|
Targeted digital surveillance | ||
Authentication bypass | You can use tamper-evident preparation to detect when a device has been physically accessed. Once a device has been physically accessed by an adversary, you should consider it compromised and never authenticate to it again. This is because, in a worst-case scenario, the adversary may have copied the device's data and compromised its firmware so that when you enter your password, they can remotely obtain it and use it to decrypt the data. | |
Physical access | You can use tamper-evident preparation to detect when something has been physically accessed by an adversary. |