Improving Tamper &Counterfeit Detection

Roger G. Johnston, Ph.D., CPP

Vulnerability Assessment TeamLos Alamos National Laboratory

505-667-7414rogerj@lanl.gov

http://pearl1.lanl.gov/seals/default.htm

LAUR-04-7823

Physical Security• consulting• cargo security • tamper detection• nuclear safeguards• training & curricula• vulnerability assessments• novel security approaches• new tags & seals (patents)• unique vuln. assessment lab

The VAT has done detailed vulnerability assessments on hundreds of different security devices, systems, & programs.

LANL Vulnerability Assessment Team

The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881)

intrusion detection: immediate (real-time) detection of unauthorized access.

tamper detection: delayed (after the fact) detection of unauthorized access.

Terminology

Terminology (con’t)

lock: a device to delay, complicate, and/or discourage unauthorized entry.

seal: a tamper-indicating device (TID) designed to leave non-erasable, unambig- uous evidence of unauthorized entry or tampering. Unlike locks, seals are not necessarily meant to resist access, just record that it took place.

tag: an applied or intrinsic feature that uniquely identifies an object or container.

types of tags

inventory tag (no malicious adversary)

security tag (counterfeiting & lifting are issues)

buddy tag or token (only counterfeiting is an issue)

anti-counterfeiting (AC) tag (only counterfeiting is an issue)

lifting: removing a tag from one object or container and placing it on another, without being detected.

Terminology (con’t)

Applications

• customs • cargo security• non-proliferation • treaty verification• counter-terrorism• counter-espionage • banking & couriers• drug accountability • records & ballot integrity• evidence chain of custody• weapons & ammo security• tamper-evident packaging • anti-product counterfeiting• protecting instrument calibration• protecting medical sterilization• waste management & hazardous

materials accountabilitySome of the 5000+ commercial seals

Tags: Uniquely identify an object

Tags & Seals

Seals: Detect tampering or unauthorized access

Warning 1: Existing Tamper-Evident Packaging isn’t very effective, yet product tampering (by insiders or

outsiders) is inevitable.*

On a bag of Fritos: You could be a winner! No purchase necessary. Details inside.

Product Tampering

Tamper-Evident Packaging

Model of how to effectively deal with product tampering: J&J

Problems with Consumer Tamper-Evident Packaging

• Mostly about Displacement, Due Diligence, Compliance, & Reducing Jury Awards--not effective Tamper Detection

• No meaningful FDA Standards, Guideline, or Definitions

• Consumers lack sufficient information to use properly

• Euphemisms (e.g., “freshness seal”) & manufacturer obscurations

• Relatively unimaginative, cost-driven designs

• Few useful vulnerability assessments

• Not proactive to the threat

Warning 2: Existing tamper-indicating seals (at least the way they are

typically used) aren’t very effective for cargo security.

In theory there is no difference between theory and practice. In practice there is.

-- Yogi Berra

defeating a seal: opening a seal, then resealing (using the original seal or a counterfeit) without being detected.

attacking a seal: undertaking a sequence of actions designed to defeat it.

Defeating seals is mostly about fooling people, not beating hardware (unlike defeating locks, safes, or vaults)!

Terminology (con’t)

(Yanking a seal off a container is not defeating it, because it will be noted at the time of inspection that the seal is damaged or missing.)

Seals Vulnerability Assessment

We studied 213 different seals in detail:

• government & commercial

• mechanical & electronic

• low-tech through high-tech

• cost varies by a factor of 10,000

Over half are in use for critical applications, and 16% play a role in nuclear safeguards.

Percent of seals that can be defeated in less than a given amount of time by 1 person using only low-tech methods

213 seals

Defeat Time vs. Seal Cost

linear LS fit

r = 0.14

slope: 1.6 sec/$

307 attacks

Results for 213 Seals

defeat time for 1 person

2.7 mins 1 min

cost of tools & supplies

$144 $5

margin cost of attack

42¢ 9¢

time to devise successful attack

5 hrs 12 mins

parameter mean median

The Good News: Countermeasures

• Most of the attacks have simple and inexpensive countermeasures, but the seal installers & inspectors must understand the seal vulnerabilities, look for likely attacks, and have hands-on training.

• Also: better seals are possible!

20+ New “Anti-Evidence” Seals

• better security• no hasp required• no tools to install or remove seal• no hardware outside the container• 100% reusable, even if mechanical• can monitor volumes or areas, not just portals• can automatically verify the seal inspector

actually checked the seal

MagTag, Tie-Dye Seal, Magic Slate Seal, Glass & Powder Seal,Triboluminescence Seal, Plug Seal, Talking Truck Cargo Seal, Blinking Lights Seal, Time Trap…

Warning 3: Counterfeiting tags & seals is easier than one might imagine.

Sincerity is everything. If you can fake that,you've got it made. -- Comedian George Burns (1896-1996)

Counterfeiting Tags & Seals

Often overlooked: Counterfeiters usually only need to counterfeit the superficial appearance & apparent performance, not the actual tag/seal or its real performance.

It's better to be looked over than overlooked. -- Mae West, Belle of the Nineties, 1934

Warning 4: Too often, high-technology is wrongly thought

to guarantee high-security.

If you think technology can solve your security problems,then you don't understand the problems and you don't understand the technology. -- Bruce Schneier

The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.

-- Dr. Who in The Pirate Planet (1978)

Why High-Tech Devices Are Usually Vulnerable To Simple Attacks

Still must be physically coupled to the real world

Still depend on the loyalty & effectiveness of user’s personnel

The increased standoff distance decreases the user’s attention to detail

Many more legs to attack

Why High-Tech Devices Are Usually Vulnerable To Simple Attacks (con’t)

The high-tech features often fail to address the critical vulnerability issues

Users don’t understand the device

Developers & users have the wrong expertise and focus on the wrong issues

The “Titanic Effect”: high-tech arrogance

Warning 5: Too often, inventory is confused

with security.

Not everything that can be counted counts, and not everything that counts can be counted. -- attributed to Albert Einstein (1879-1955)

Inventory

• Counting and locating our stuff.

• No nefarious adversary.

• Will detect innocent errors by insiders, but not surreptitious attacks by insiders or outsiders.

• Meant to counter nefarious adversaries, typically both insiders & outsiders.

• Watch out for mission creep: inventory systems that come to be viewed as security systems!

Security

• bar codes

• rf transponders (RFIDs)

• contact memory buttons

High-Tech Tags: Classic examples of confusing Inventory & Security, High-Tech & High-Security

Usually easy to: * lift * counterfeit * spoof the reader

These are excellent for inventory, but problematic for security!

GPS: Another classic example of confusing Inventory & Security, High-Tech & High-Security

• The private sector, foreigners, and 90+% of

the federal government must use the civilian

GPS satellite signals.

• These are unencrypted and unauthenticated.

• They were never meant for critical or

security applications, yet GPS is being

used that way (e.g., cargo security).

Attacking Civilian GPS Receivers

Blocking: just break off the antenna, or shield it with metal; not surreptitious.

Jamming: easy to build a noisy rf transmitter from plans on the Internet; not surreptitious.

Spoofing: surreptitious & (as we’ve demonstrated) surprisingly easy for even unsophisticated adversaries. There are, however, simple countermeasures.

Physical attacks: appear to be easy, too.

GPS Cargo Tracking

GPS SatelliteTracking Information Sent to HQ (perhaps encrypted/authenticated)

GPSSignal

(vulnerable here)GPS is great for navigation, but it does not provide high security.

Time Vulnerabilities

• Many national networks (computer, utility, financial, & telecommunications) are somewhat prepared for loss of time synchronization due to GPS jamming. But they are not prepared for spoofing, which is easy and could crash them.

• The alternate time standard (NIST atomic clock) is also not authenticated or encrypted.

Warning 6: Practical & effective AC Tags don’t currently exist.

The Holy Grail: a practical, inexpensive AC Tag that is easy to verify, but difficult

& expensive to counterfeit.

Is this even possible?

The handwriting on the wall may be a forgery. -- Ralph Hodgson (1871-1962)

Potential High-Tech Tag Technologies (though little R&D is underway)

thin films ferrofluids ultrasonics liquid crystals biological materials micro- & nano-particles novel glasses/ceramics transport & diffusion phenomena advanced polymers & composites exotic organics & macromolecules nonlinear optical & electrooptic materials

CNT Technique: In the absence of effective AC Tags, this is one method to

impede & detect product counterfeiting.

If we don't succeed, we run the risk of failure. -- Dan Quayle

Honesty may be the best policy, but it's important to remember that apparently, by elimination, dishonesty is the second-best policy.

-- George Carlin

Lot: 4ZB1026 Exp: 04/06 Bottle ID: MPD709

• unique• random, non-sequential• at least 1000 times more possible ‘Bottle’ ID numbers per Lot than actual bottles

“Call-In the Numeric Token” (CNT) Technique

(“Bottle” can really mean bottle, tube, box, container, pallet, truck-load, etc.)

Bottle ID

CNT Technique (con’t)

• Print “Bottle” ID on bottles, or other packaging at the factory, or attach printed adhesive labels later.

• Keep secure computer list (database) of valid Bottle IDs for each Lot.

• ~ 3 MB required per million containers.

CNT Technique (con’t)

• “Calling in”: Customers log into a web site,

or call an automated phone line to quickly check if their Bottle ID is valid for the given Lot number. (Yes/No response.)

• May or may not be required to identify themselves. (Pros & Cons).

• Useful even if only a small fraction of customers participate.

1. Invalid Bottle IDs that are called-in will be immediately recognized as counterfeits.

2. Wholesalers, re-packagers, and other handlers of large quantities can spot counterfeits even without calling-in by finding duplicate Bottle IDs in their own stock.

3. Any duplicate valid Bottle IDs that are called-in will be flagged as counterfeits with fairly high reliability.

Counterfeits are spotted by…

Counterfeiters

The bad guys are hampered by these problems:

• Guessing valid ID numbers isn’t practical.

• Getting large numbers of valid IDs is challenging.

• Making counterfeit products with duplicate IDs may lead to detection via the call-in process.

Notes • Putting the Bottle ID inside the tamper-evident packaging

will make it more difficult for counterfeiters to covertly obtaining valid IDs.

• Bar code (or RFID) the Lot & Bottle ID numbers so wholesalers, re-packagers, and high-volume customers can automate the process.

• Provide free readers & automated call-in software to major customers.

• Resale of drugs can be handled multiple ways, including raising the minimum threshold for declaring counterfeiting when duplicate Bottle IDs are called in.

Repackagers & Pharmacies

If consolidating: Re-use some of the original Bottle IDs & destroy

the rest (perhaps reporting this to the manufacturer).

If subdividing, do one of the following:

• Notify manufacturer so corrections can be appliedto the database.

• Obtain new Bottle IDs from manufacturer.• If trusted, generate own new Bottle IDs & report

them to database.• Easiest: manufacturer packs multiple (unique)

IDs inside the original tamper-evident packaging, about one per new “bottle” to be created.

• Invisible to customers who don’t care.

• May want to limit CNT to one level: wholesalers, pharmacies, or consumers (or run independent CNT systems for each level).

• Roll out the CNT technique only temporarily when there is a public counterfeit scare?

CNT Impact

• Information provided by callers can help pharmaceutical companies understand the market & demonstrate a proactive approach to counterfeiting.

• Might help trace counterfeiters, especially if callers identify themselves.

• Getting consumers to take responsibility for checking authenticity of their own medicines may have multiple benefits.

CNT Impact (con’t)

Costs: Low to Moderate

• Real-time printing of bottles or labels: inexpensive• Maintain ‘database’: inexpensive (single PC)• Software web site for callers: inexpensive

(just a big LUT)• Automated, voice recognition phone line: moderate• Publicity & education to encourage participation & effective usage: moderate

Run as a third party service?

LANL Time Trap

• A more sophisticated approach: Let the Bottle ID (keyed “hash”) vary in time.

• Tag has a microprocessor with 5-year battery and internal tamper detection.

• Some tamper detection capabilities

• Cost: few $ in quantity

• Volume: < 1 cc

• Reusable

Warning 7: You need to conduct Adversarial Vulnerability Assessments

(thinking like the bad guys). Traditional tools for improving

security are not enough.

He that wrestles with us strengthens our skill. Our antagonist is our helper. -- Edmund Burke (1729-1797)

It is sometimes expedient to forget who we are. -- Publilius Syrus (~42 BC)

Major Tools for Improving Security

1. Security Survey

2. Risk Management (“Design Basis Threat”)

3. Adversarial Vulnerability Assessment

Real vulnerability assessments…

• Find vulnerabilities--because they always exist.

• Treat finding vulnerabilities as good news, not bad news-- because finding them means you can do something about

them.

• Are meant to improve security--not to “certify” it, or make us feel confident.

• View security from the perspective of the bad guys--not the good guys.

We have a CD containing related papers & reports.

Available today or request a copy at rogerj@lanl.gov

The LANLVulnerability Assessment Team

http://pearl1.lanl.gov/seals/default.htm

Roger Johnston, Ph.D., CPP, Ron Martinez, Leon Lopez, Sonia Trujillo, Adam Pacheco, Anthony Garcia, Jon Warner, Ph.D., Alicia Herrera, Eddie Bitzer, M.A.

Ring the bells that still can ring.Forget your perfect offering.There is a crack in everything.That's how the light gets in. -- Anonymous

He that will not apply new remedies must expect new evils;for time is the greatest innovator.

-- Francis Bacon (1561-1626)