Tampering with Transportainers
Aug 25th, 2008 by sherri
I stood in a dimly lit room at Argonne National Labs with both wrists handcuffed, working a tool into the mechanism on my right hand. “Push the cuff up and then down,” said Jon Warner helpfully. The cuff snapped open.
We were in the Vulnerability Assessment Team’s (VAT) “museum,” a small display room in Argonne National Laboratory. The tables in the VAT’s museum were littered with locks, bolts, seals and unrecognizable electronics. I had been brought there by Eric Michaud, a fellow researcher on the team. Jon explained that the purpose of the VAT is to try to emulate the “bad guy,” investigating real threats for both industry and government. Much of their work focuses on “tamper-indicating devices such as bolt seals, adhesive label seals, etc.,” upon which our global supply chain relies.
Jon lined up four shipping container bolts on the counter in front of me. “Which one has been tampered with?”
I inspected them all diligently. The heights were the same. Perhaps some were a little more scratched than others? Upon close inspection, they all had almost imperceptible variation, but none which seemed to specifically indicate tampering.
Finally, I picked out the one that seemed to be the most scratched, and handed it to Jon. He twisted the top. “Nope.” Then he picked up one of the other bolts, and checked it. Suddenly, the top popped off.
“We modified the bolt seal so that we could open it when we wanted to ,” he said. “See, we can take a bolt seal that is already on a container being shipped, modify it and enter the container whenever we want.” Someone who managed to slip these tampered bolts into the supply chain could steal millions of dollars of merchandise, smuggle goods or people in legitimate containers, or contaminate the food supply.
I studied the bolt, intrigued that the security of our global supply chain rests on such an innocuous object.
Sherri Davidoff
> I studied the bolt, intrigued that the security of our global
> supply chain rests on such an innocuous object.
I am not. Not at all actually. I think the security of our global supply chain rests in numbers. There is simply too much supply moving to too many places for the “global supply chain”. Nothing you could do would be more than a blip. Things are stolen, and smuggled every day of the week. Generally speaking, it doesn’t matter.
Truely terrible things, like contaminating food, have very little use, and very little benefit. Most people can be coerced or convinced into doing bad things, like the adware author you interviewed, but…. very very very few can be convinced to actually directly hurt people in an undeniable way.
Those that can are too few in number and means to do anything of signifigance, as shown by the fact that they never have done anything of signifigance.
So far they have killed a laughably small number of people, destroyed a ridiculously tiny number of buildings and planes, and generally, not much else other than making “statements”.
You found a few mole hills, not a mountain chain.
I think Lawrence Lessig’s Essay on “Insanely Destructive Devices” pretty much says it all: http://www.wired.com/wired/archive/12.04/view.html?pg=5
-Steve