Tampering with Tamper-Resistant Screws

A wide array of products are secured with tamper-resistant screws. From restroom partitions and vending-machine coin-mechanisms to double-cylinder deadbolts and access-control keypads, these specialized machine-screws are employed to keep mischievous people from messing with stuff. These fancy screws are good for some applications, and they are not good for others.

First we’ll address what they do well. Tamper-resistant screws can be installed in place of any existing screws. They’re designed to be difficult to remove without special tools –tools that unauthorized personnel are unlikely to have. These screws work well for this purpose, in relatively low-security applications; and they cost quite a bit less than locks do. When the threats to be defended against are nothing more than a little vandalism or minor theft, for example, tamper-resistant screws are a very good solution.

Their usefulness in higher-security applications is limited not useless, but limited. Security screws should not be used without an understanding of those limits, so let’s discuss those limits. This article will address a few of the most common types of tamper-resistant screws: one-way screws, spanner screws, and a tamper-resistant variation of Allen-head screws with a protruding pin that keeps regular Allen wrenches from working. These three types of screws are shown in that order in Figure 1. The principles discussed in this article apply to other types of tamper-resistant screws as well.

A one-way screw is designed to be installed with a standard flat-head screw-driver, but the shape of the head is intended to prevent a one-way screw from being easily removed with a standard flat-head screw-driver.

A spanner screw has two small holes drilled in its head and is designed to be installed and removed only with a special spanner screw-driver.

Likewise, a tamper-resistant Allen-head screw is designed to be removed only with a specially modified Allen wrench having a small hole drilled in its end to accept the protruding pin in the head of the screw.

While it is relatively difficult to remove these screws without the proper tools, it is not impossible. In order to make good decisions on whether these fasteners should be used for a given security application, it is important that we first understand just how difficult it is for hoodlums to remove them, as well as, perhaps, what kind of evidence a hoodlum is likely to leave behind.

Figure 2 shows our three screws installed in an aluminum plate. The one-way screw, on the left, was installed using a standard flat-head screw-driver. Notice the counter-clockwise ramps in the screw’s head. A screw-driver turned clockwise engages the screw-head and forces it to rotate, but a screw-driver turned counter-clockwise slides up the ramps and accomplishes nothing. The intention is that the screws can be installed with a standard screw-driver but can not be easily removed without a special removal tool that digs into the ramps to get a good grip.

Unfortunately, one-way screws are relatively easy to remove with a standard flat-head screw-driver. All one has to do is push hard while turning counter-clockwise. When a one-way screw has been particularly well torqued by the installer, it may become necessary to use what I call a “poor man’s impact driver” as shown in Figure 3. Smack the screw-driver’s handle with the heel of one hand while turning the screw-driver with the other. It hurts a little, but with nothing more than two hands and a flat-head screw-driver, one-way screws can be removed with little hassle.

What evidence does the attack leave behind? Some gouges in the ramps, as shown in Figure 4. The proper tool would leave gouges as well, so if you want to rely on these gouges as evidence, be sure to install each one-way screw only once. Establish and enforce a policy that any removed one-way screw will always be replaced with a new one.

Now let’s examine the spanner-head screw, shown in the middle of Figure 2. It is intended to be installed and removed with a spanner screw-driver or with a spanner bit like the one in Figure 5. Let’s assume for a minute that unauthorized users will not possess any special tools. A screwdriver and a small hammer can be used to exploit the holes, tapping the screw-head counter-clockwise to loosen the screw as shown in Figure 6. Notice, in Figure 7, that this method leaves gouges in the edges of the holes. If one or both holes is gouged like this, then someone perhaps a hoodlum has been screwing with your screw!

The tamper-resistant Allen screw, shown on the right in Figure 2, was installed with a special Allen wrench that has a hole in its end. It was torqued down well. In Figure 8 it is being loosened with the pliers of a common multi-tool. The teeth of the pliers left marks that can be seen upon close examination of the screw. Those marks are shown in Figure 9.

In Figure 10, many tamper-resistant Allen screws secure the playground equipment behind an elementary school. I suppose it is intended to deter hoodlums from stealing or sabotaging the equipment, thereby helping to assure that the children can have a fun and safe recess. The screw, shown up-close in Figure 11, is intended to be removed only with the proper tool. But, once again, a pair of pliers can do the trick as well. This method does leave visible evidence, as seen in Figure 12, but it’s less obvious than on the previous screw. The plainness of the evidence is related to how tightly the pliers are clamped onto the screw-head and to how much torque is required to loosen the screw, whereas this screw had not been fastened as tightly as the other.

What does all of this mean? First, despite some manufacturers’ claims, it proves that these tamper-resistant screws are far from tamper-proof. But, although tamper-resistant screws provide only a moderate level of tamper-resistance, they provide clear evidence when they’re opened with standard hand tools. If the screw-heads are regularly inspected, then this tamper-evidence significantly increases the overall level of security provided by such screws. As such, while their overall security is still moderate at best, it is sufficient for many situations that do not warrant the added expense of locks.

GREATER SECURITY REQUIRED

Let’s look at three situations where tamper-resistant screws do not provide sufficient security on their own, even if regularly inspected. The first such situation is shown in Figure 13. It’s a Securitron DK-11 keypad, clearly labeled as such. The security provided by the keypad is circumventable by unscrewing the keypad from the wall and removing any one or more of the four wires that are connected to it. This is because the DK-11 keypad directly controls the power to the electromagnetic lock on the door. (Not everyone knows this weakness, but anyone who ever tries to pull a MacGuyver on this keypad will certainly succeed.) The door is on the exterior of a restaurant that is left unattended for several hours every night.

The DK-11 is not designed for such a scenario, and for anything but low-security applications, Securitron recommends the use of the DK-16 with its separate interior-mounted control unit. We need to pay attention to such recommendations and use security equipment appropriately, as a couple of fancy screws can only do so much for us.

To make matters worse, this keypad has been removed multiple times for combination-changing without the proper tool, and after each removal the same pair of one-way screws has been reused to fasten the keypad to the wall. The limited tamper-evident quality of the screws has thus been defeated, so it may very well be that no one will ever know when this access-control system is bypassed.

Second, consider a double-cylinder deadbolt, fastened to a door separating two business suites that are leased by separate companies that have no reason to trust each other. The two key-operated lock-cylinders are often attached to each other by two one-way screws that traverse the door and lock-bolt. It is common in double-cylinder deadbolt design for both of those screws to be installed from the same side of the door. Inherent in this design is a bias in security. That is, the door is more easily unlocked from the side on which the screw-heads are exposed. When real burglar-resistance is required, the tamper-resistance offered by such screws is insufficient.

Some lock manufacturers are offering good solutions to this problem. Schlage addresses this issue by putting one screw-head on each side of the door. Arrow goes further by concealing the screw-heads with a rotating plate that exposes them only when the key is turned. Lori uses mortise lock-cylinders, thereby requiring that the door be opened before the set-screws that hold them in place can be loosened. As locksmiths, are we not expected to provide (or at least recommend) hardware that has the appropriate level of security for the application?

In the third situation, a proximity-card reader is fastened to the exterior of a factory with fairly high security needs. It uses the standard Wiegand protocol to transmit identity information to an access control system. Since the Wiegand protocol provides no protection against intercepting electrical signals and replaying them later to impersonate a previously authenticated user, the plastic cover and two tamper-resistant screws are all that stand in the way of an attacker installing a small gadget that will provide him access later on.

Zac Franken demonstrated this at DEF CON 15, a security conference held in August of 2007. The security of a building that has an expensive access-control system is important enough that it should not be subjected to the security limitations of a pair of fancy screws, especially once it has been publicly demonstrated that the security of such a system is lacking.

With a constantly-monitored surveillance system that would detect tampering and provide a prompt response, perhaps the building would be sufficiently protected. But alas, no such system is in place on this door. If it is desirable that the building be secured without the need for constant monitoring, then I suggest that card readers be installed inside the building and that they read cards through the walls. If they must be installed on the exterior, a beefier card-reader enclosure should be used and the installer should make sure that it is well and securely fastened in place.

All I’m saying is to keep a healthy level of paranoia about tampering hoodlums, whoever they may be, and to consider whether the assets are sufficiently protected against the threats. Sometimes they are; sometimes they’re not.

Loading