[AnthonyMouse]

Stickers are an inconvenience, especially when applied over a screw hole required for disassembly or similar, but it's not exactly cryptographically secure. What stops the attacker from buying the same sticker as you, or taking a good picture of it before destroying it and printing a new one off?

[mjg59]

An example is using glitter-containing nail polish to cover the screws, taking a high resolution picture and then having an app that checks whether the glitter particles are still in the same position. There are companies selling solutions along these lines.

[AnthonyMouse]

I guess at that point you're basically asking whether it's possible to make higher resolution printers than cameras, but considering you can in principle do printing using lithography similar to what they use to make semiconductors, that's probably going to win over the average phone camera. Although you're obviously then talking about a much more sophisticated attack.

[mjg59]

It's not just a matter of printing, it's a matter of placement. If you can carry equipment of that calibre into a hotel room and do the swap then that'll defeat things, but it's not clear that that's realistic.

[AnthonyMouse]

You wouldn't necessary need it to be in the hotel room. You sneak in, take a picture, have the lab down the street reproduce it, come back in a half hour and make the swap.

That's also assuming you would actually need that level of sophistication. It's plausible that there is a level of printing technology somewhere between "crappy inkjet" and "semiconductor fab clean room" that could still fool a phone camera.

There is also the possibility of accessing the inside of the machine without tearing the sticker. You think they're going to disassemble it by removing the screws, but they actually disassemble it by slicing off a section of the case with a sharp blade and then epoxying it back together. Or make their modifications through the cooling vents.

And that's really the other problem too. If you don't know how they're going to do it, you don't know what to look for to detect that they did. Your sticker is intact so you're safe, right? Right?

[mjg59]

You're still left with needing perfect placement, which isn't something that's realistic to do by hand. Physical case modifications are also going to be detected by any reasonable tooling (there's at least one vendor who can tell you which physical mold something came off on the production line via phone camera imaging, they're definitely going to spot a glued together hole in the case). So you're left with going in via existing case holes as the most realistic option, which has raised the bar by a significant amount - this is now an attack that's going to take much longer and require a higher level of skill, so the probability that it'll be carried out is reduced by a lot.

Nobody is realistically going to say that a computer plugged into the internet is unhackable. Instead the goal is to make it sufficiently difficult to hack that it's either cheaper to solve the problem a different way or target a different person. The same is true here. Nobody believes it's literally impossible to compromise an iPhone when you have physical access, but it's considered hard enough that almost any other option is preferable. We should be holding laptops to the same standard.

[znpy]

First things first: lol.

After that: at this point it's easier to pay a random person to follow you and steal your whole bag/backpack and wallet and make it look like the usual theft.

Or just break into your house/office or whatever.

[pvg]

You lol but a similar scheme was used for nuclear weapons treaty compliance verification (search for 'epoxy'):

https://www.washingtonpost.com/archive/politics/1988/03/21/a...

[mjg59]

The point is that even having physical possession of the system shouldn't be enough to get anything useful out of it.

[tptacek]

Our phones are just small computers, and the notion that the FBI can get things out of them given permanent custody is national news. It's weird that people think this isn't really one of the battle lines in computer security.

[pella]

cheap tamper protection:

https://mullvad.net/en/help/how-tamper-protect-laptop/

- "Then we paint the border of the sticker with glittery polish. It's important with the glitter because the outcome will always be unique."

- "After the polish has dried, we take a high-resolution photo of each area."

[ryan-c]

I think you may have missed that my comment was primarilly a terrible pun.