Glitter Nail Polish Won't Stop People Snooping in Your Data
But it will at least let you know if they have.
It’s the latest anti-spying tool, and oh-so-fashionable to boot: glitter nail polish.
As Wired recently reported, security researchers Eric Michaud and Ryan Lackey made the case for glitter polish as a security device in a talk at the Chaos Communication Congress earlier this week in Hamburg. But how useful is the Cosmo must-have really when it comes to protecting your devices?
Don’t be misled by the headlines; while the technique Michaud and Lackey describe certainly has its uses, it’s by no means a way of actually preventing people from stealing your data or installing malware. It was never intended to be. Rather, it’s a simple technique to tell if someone has tampered with your laptop or tablet after the event—not to actually stop them from doing so.
In their talk, entitled “Thwarting Evil Maid Attacks,” the researchers addressed the security exploit of potential “evil maids” tampering with travellers’ devices when they're left in hotel rooms. The same exploit can be extended to include border control officers who might mess with your data against your will—just yesterday a US judge ruled it was totally fine for border control to comb through people’s laptops and phones even without reasonable suspicion. The UK also reserves the right to grab all your data when you enter or exit the country.
The problem is that while you can probably keep your phone on you when travelling abroad, there will undoubtedly be times when you have to leave your laptop unattended, and that’s when it’s vulnerable to compromise. But for many travellers, it’s just not an option to leave their computer at home, or to wipe it completely of sensitive data.
Michaud and Lackey therefore proposed a way to tell if your device has been tampered with. They suggested putting seals over all the ports that allow internal access to your device. That’s hardly a new idea in itself, but the specific technique they’ve come up with has advantages over existing seals.
Michaud and Lackey's lecture, via Youtube/Albert Veli
For a seal to be effective at alerting you to intruders, it needs to be impossible to remove and replace without leaving a mark, and also unique—otherwise a snooper could just replicate the seal and you’d never know they’d been there. That’s why Michaud and Lackey suggested glitter nail polish. “You want something that’s easily frangible but not going to break by accidental use,” explained Michaud in answer to an audience member’s question at the end of the lecture. “A good one to use is pearlescent paint or nail polish: Put it on all your screws, take a photograph. Particularly ones that have a lot of glitter in it, because it’s going to be very difficult to replicate that.”
For those uninitiated in the sparkly stuff, each time you paint a nail (or, indeed, a screw on your computer), the glitter disperses differently, creating a unique pattern. In this security context it’s important to take a photo of your handiwork because it would otherwise be hard to tell if the same glitter polish was there, or if someone had replaced it with another blob of similar polish.
Michaud and Lackey described a verification system that uses a technique known in astronomy as “blink comparison”: You rapidly flick from one photo to the next, which makes it easier to see any changes. They plan to release software that could do the matching for you, to prevent human error. In their ideal solution, a device that didn’t pass the test would not be allowed to hook up to a company network, thus mitigating the impact of any malware.
So while glitter polish isn't a way to actually stop people snooping in your affairs, it's certainly better to know you've been hacked than to find out only after you've infected your whole network.
And a few bits of advice from a seasoned glitter polish user: Make sure to let it dry before you take the photo, or the glitter could move if it’s disturbed and upset your carefully documented pattern. I’d also advise against painting it directly onto your devices as it’s sticky stuff and difficult to remove (and I wouldn’t want to get nail polish remover—effectively paint stripper—too near any expensive parts). Painting the glitter onto a sticker (that you can't cleanly peal back and replace) might be a good solution.