A packaging that significantly raises the cost of tampering during shipping or storage. The security mechanism of BitBoxTep is a temporary locked particle fingerprint which is verified via image comparison of a reference image taken prior to shipment. It is currently in alpha stage and we are in the process of iterating the design towards a beta.
Our solution aims to serve targeted industries beyond sensitive crypto devices: such as privacy and security focused smartphone manufacturers, pharma- and biotech companies, labs handling toxic or radioactive probes, narcotics or doping testlabs, dice and card manufacturers, jewels and gemstone dealers, antiques and art agencies, etc. Anywhere small scale physical goods have to be protected from being looked at, manipulated, replaced or disappearing undetected, BitBoxTep is the potential solution.
BitBoxTep proposes a temporary locked fingerprint consisting of spherical particles. The particles are contained in a pouch that when placed under vacuum locks the particles in place to create the temporary fingerprint. When the vacuum bag is opened, the particles mix. This makes it extremely difficult to replicate the original fingerprint.
You compare the reference image taken prior to shipment with the received packaging. Currently, you can visually verify that the pattern is unchanged. Eventually, a mobile app using computer vision will aid to verify the two images are similar.
Check that the package is a rigid plastic box consisting of two parts. There is a round particle pouch attached with velcro to the box's enclosure mechanism and the system is vacuum sealed in a transparent bag. With the exception of a few particles, all particles should be locked in place by the vacuum. Some particles within clusters might move within a small range of 1-2mm.
Scan the QR code to access your reference image or visit https://tep.shiftcrypto.ch to enter the 8-digit identifier in the text mask. Important: Check the URL carefully to make sure you are visiting the correct website.
Compare the temporary locked particle fingerprints of the reference image and your packaging. They should match. You may want to take a picture of the sealed packaging for later reference.
Cut the vacuum bag open with scissors and pull the box with the attached particle pouch out of the bag.
Tilt the box gently to verify the particles move freely and mix into a loose state. If they are stuck to the pouch and don‘t mix easily, something might be wrong. In this case, please contact firstname.lastname@example.org
Pull the particle pouch away in order to open the box. You should hear the velcro separation and feel a pull resistance normal for velcro.
The particles should move freely.
Smell the particle pouch and the plastic box. It should neither smell like burnt plastic, nor should you smell any strong solvents.
To verify if there is a difference between your fingerprint and the reference image, we recommend going from high level to details.
Are there clearly identifiable clusters?
Are the clusters in the same positions?
Do empty spaces look similar?
Do single particles match up?
From December 2019 to January 2020 we selected a limited number of alpha testers to give us feedback on BitBoxTep. We invited them to perform various attempts to bypass the security mechanism of our first prototypes.
We have received valuable inputs on how to possibly iterate the design, what potential attacks to consider and where our community sees market potential. Despite offering a bounty for successful attacks, none of the alpha testers have managed to break in and reseal BitBoxTep with the fingerprint intact.
Our alpha testers especially liked the simple and understandable security mechanism and the clear instructions on how to verify the temporary locked fingerprint prior to opening. The majority appreciated the idea of reusability if it can be worked out to function reliably.
In addition, the alpha testers gave suggestions for improvement. The majority consider the QR code on the alpha particle pouches an unnecessary phishing danger. Also multiple participants would prefer to receive instructions and the reference image via email in the form of a shipping confirmation instead of verifying the fingerprint in an online database until there is an app available.
With regards to hardware, we have learned to look into different color concepts. For example, potentially using a bright color plastic box to make it more difficult to manipulate without the receiver noticing.
A first test with liquid nitrogen (-196°C) has revealed that while the particles could not be frozen to the pouch easily, the adhesive of the velcro looses cohesive strength at these temperatures.
We’ve prototyped a number of particle pouch designs with different materials, sizes and colors. Our main focus is to identify the best suitable material combination for the particle pouch (rigid, soft) which would lock the particles in place while ensuring that they become loose and mix when the vacuum pressure is released.
Currently we are able to lock over 95% of the particles. A handful of particles in tight clusters tend to move within a small area, which we consider acceptable.
We use industrial grade vacuum sealing equipment to make reproducible test sets. Our alpha prototypes have been tested to work in a temperature range between +40°C and -20°C. We have started with very low temperature tests using liquid nitrogen (-196°C) and also work to increase the upper temperature limitations. Lastly, we continually work on improving the duration of the vacuum seal so the particles can remain locked in position and still become loose again when the package is opened.