Improving Tamper

1
Improving Tamper Counterfeit Detection
LAUR-04-7823
Roger G. Johnston, Ph.D., CPP Vulnerability
Assessment Team Los Alamos National
Laboratory 505-667-7414 rogerj_at_lanl.gov http//pe
arl1.lanl.gov/seals/default.htm
2
LANL Vulnerability Assessment Team

• Physical Security
• consulting
• cargo security
• tamper detection
• nuclear safeguards
• training curricula
• vulnerability assessments
• novel security approaches
• new tags seals (patents)
• unique vuln. assessment lab

The VAT has done detailed vulnerability
assessments on hundreds of different security
devices, systems, programs.
The greatest of faults, I should say, is to be
conscious of none. -- Thomas Carlyle
(1795-1881)
3
Terminology
intrusion detection immediate (real-time)
detection of unauthorized access. tamper
detection delayed (after the fact) detection of
unauthorized access.
4
Terminology (cont)
lock a device to delay, complicate,
and/or discourage unauthorized entry. seal a
tamper-indicating device (TID) designed to
leave non-erasable, unambig- uous evidence of
unauthorized entry or tampering. Unlike locks,
seals are not necessarily meant to resist access,
just record that it took place.
5
Terminology (cont)
tag an applied or intrinsic feature that
uniquely identifies an object or container.
types of tags inventory tag (no malicious
adversary) security tag (counterfeiting
lifting are issues) buddy tag or token (only
counterfeiting is an issue) anti-counterfeiting
(AC) tag (only counterfeiting is an
issue) lifting removing a tag from one object
or container and placing it on another, without
being detected.
6
Tags Seals

• Applications
• customs
• cargo security
• non-proliferation
• treaty verification
• counter-terrorism
• counter-espionage
• banking couriers
• drug accountability
• records ballot integrity
• evidence chain of custody
• weapons ammo security
• tamper-evident packaging
• anti-product counterfeiting
• protecting instrument calibration
• protecting medical sterilization
• waste management hazardous materials
  accountability

Tags Uniquely identify an object
Seals Detect tampering or unauthorized access
Some of the 5000 commercial seals
7
Warning 1 Existing Tamper-Evident Packaging
isnt very effective, yet product tampering (by
insiders or outsiders) is inevitable.
On a bag of Fritos You could be a winner! No
purchase necessary. Details inside.
8
Product Tampering
Tamper-Evident Packaging
Model of how to effectively deal with product
tampering JJ
9
Problems with Consumer Tamper-Evident Packaging

• Mostly about Displacement, Due Diligence,
  Compliance,
• Reducing Jury Awards--not effective Tamper
  Detection
• No meaningful FDA Standards, Guideline, or
  Definitions
• Consumers lack sufficient information to use
  properly
• Euphemisms (e.g., freshness seal)
  manufacturer obscurations
• Relatively unimaginative, cost-driven designs
• Few useful vulnerability assessments
• Not proactive to the threat

10
Warning 2 Existing tamper-indicating seals (at
least the way they are typically used) arent
very effective for cargo security.
In theory there is no difference between theory
and practice. In practice there is. -- Yogi
Berra
11
Terminology (cont)
defeating a seal opening a seal, then resealing
(using the original seal or a counterfeit)
without being detected. attacking a seal
undertaking a sequence of actions designed
to defeat it. Defeating seals is mostly about
fooling people, not beating hardware (unlike
defeating locks, safes, or vaults)!
12
(Yanking a seal off a container is not defeating
it, because it will be noted at the time of
inspection that the seal is damaged or missing.)
13
Seals Vulnerability Assessment
We studied 213 different seals in detail
government commercial
mechanical electronic

low-tech through high-tech cost
varies by a factor of 10,000 Over half are
in use for critical applications, and 16
play a role in nuclear safeguards.
14
Percent of seals that can be defeated in less
than a given amount of time by 1 person using
only low-tech methods
213 seals
15
Defeat Time vs. Seal Cost
linear LS fit r 0.14 slope 1.6 sec/
307 attacks
16
Results for 213 Seals
parameter mean median
defeat time for 1 person 2.7 mins 1 min
cost of tools supplies 144 5
margin cost of attack 42 9
time to devise successful attack 5 hrs 12 mins
17
The Good News Countermeasures

• Most of the attacks have simple and
  inexpensive countermeasures, but the seal
  installers inspectors must understand the
  seal vulnerabilities, look for likely attacks,
  and have hands-on training.
• Also better seals are possible!

18
20 New Anti-Evidence Seals

• better security
• no hasp required
• no tools to install or remove seal
• no hardware outside the container
• 100 reusable, even if mechanical
• can monitor volumes or areas, not just portals
• can automatically verify the seal inspector
  actually checked the seal

MagTag, Tie-Dye Seal, Magic Slate Seal, Glass
Powder Seal, Triboluminescence Seal, Plug Seal,
Talking Truck Cargo Seal, Blinking Lights Seal,
Time Trap
19
Warning 3 Counterfeiting tags seals is
easier than one might imagine.
Sincerity is everything. If you can fake
that, you've got it made. -- Comedian
George Burns (1896-1996)
20
Counterfeiting Tags Seals

• Often overlooked Counterfeiters usually
  only need to counterfeit the superficial
  appearance apparent performance, not the
  actual tag/seal or its real performance.

It's better to be looked over than overlooked.
-- Mae West, Belle of the Nineties, 1934
21
Warning 4 Too often, high-technology is
wrongly thought to guarantee high-security.
The more sophisticated the technology, the more
vulnerable it is to primitive attack. People
often overlook the obvious. -- Dr. Who
in The Pirate Planet (1978)
If you think technology can solve your security
problems, then you don't understand the problems
and you don't understand the technology. --
Bruce Schneier
22
Why High-Tech Devices Are Usually Vulnerable To
Simple Attacks

• Still must be physically coupled to the real
  world
• Still depend on the loyalty effectiveness of
  users personnel
• The increased standoff distance decreases the
  users attention to detail
• Many more legs to attack

23
Why High-Tech Devices Are Usually Vulnerable To
Simple Attacks (cont)

• The high-tech features often fail to address the
  critical vulnerability issues
• Users dont understand the device
• Developers users have the wrong expertise
• and focus on the wrong issues
• The Titanic Effect high-tech arrogance

24
Warning 5 Too often, inventory is confused
with security.
Not everything that can be counted counts, and
not everything that counts can be counted.
-- attributed to Albert Einstein (1879-1955)
25
Inventory

• Counting and locating our stuff.
• No nefarious adversary.
• Will detect innocent errors by insiders,
  but not surreptitious attacks by insiders or
  outsiders.

26
Security

• Meant to counter nefarious adversaries,
  typically both insiders outsiders.
• Watch out for mission creep inventory
  systems that come to be viewed as security
  systems!

27
High-Tech Tags Classic examples of confusing
Inventory Security, High-Tech
High-Security

• bar codes
• rf transponders (RFIDs)
• contact memory buttons

Usually easy to lift
counterfeit spoof the reader
These are excellent for inventory, but
problematic for security!
28
GPS Another classic example of confusing
Inventory Security, High-Tech High-Security

• The private sector, foreigners, and 90 of
• the federal government must use the civilian
  
• GPS satellite signals.
• These are unencrypted and unauthenticated.
• They were never meant for critical or
• security applications, yet GPS is being
• used that way (e.g., cargo security).

29
Attacking Civilian GPS Receivers

• Blocking just break off the antenna, or shield
  it with metal not surreptitious.
• Jamming easy to build a noisy rf transmitter
  from plans on the Internet not surreptitious.
• Spoofing surreptitious (as weve demonstrated)
  surprisingly easy for even unsophisticated
  adversaries. There are, however,
  simple countermeasures.
• Physical attacks appear to be easy, too.
  

30
GPS Cargo Tracking
GPS Satellite
Tracking Information Sent to HQ (perhaps
encrypted/authenticated)
GPS Signal
GPS is great for navigation, but it does not
provide high security.
(vulnerable here)
31
Time Vulnerabilities

• Many national networks (computer, utility,
  financial, telecommunications) are somewhat
  prepared for loss of time synchronization due to
  GPS jamming. But they are not prepared for
  spoofing, which is easy and could crash them.
• The alternate time standard (NIST atomic clock)
  is also not authenticated or encrypted.

32
Warning 6 Practical effective AC Tags dont
currently exist. The Holy Grail a practical,
inexpensive AC Tag that is easy to verify, but
difficult expensive to
counterfeit.Is this even possible?
The handwriting on the wall may be a forgery.
-- Ralph Hodgson (1871-1962)
33
Potential High-Tech Tag Technologies (though
little RD is underway)

• thin films
• ferrofluids
• ultrasonics
• liquid crystals
• biological materials
• micro- nano-particles
• novel glasses/ceramics
• transport diffusion phenomena
• advanced polymers composites
• exotic organics macromolecules
• nonlinear optical electrooptic materials

34
CNT Technique In the absence of effective AC
Tags, this is one method to impede detect
product counterfeiting.
If we don't succeed, we run the risk of
failure. -- Dan Quayle
Honesty may be the best policy, but it's
important to remember that apparently, by
elimination, dishonesty is the second-best
policy. -- George Carlin
35
Call-In the Numeric Token (CNT)
Technique
Lot 4ZB1026 Exp 04/06 Bottle ID
MPD709
Bottle ID

• unique
• random, non-sequential
• at least 1000 times more
• possible Bottle ID numbers
• per Lot than actual bottles

(Bottle can really mean bottle, tube, box,
container, pallet, truck-load, etc.)
36
CNT Technique (cont)

• Print Bottle ID on bottles, or other
  packaging at the factory, or attach printed
  adhesive labels later.
• Keep secure computer list (database) of valid
  Bottle IDs for each Lot.
• 3 MB required per million containers.

37
CNT Technique (cont)

• Calling in Customers log into a web site,
  or call an automated phone line to quickly
  check if their Bottle ID is valid for the given
  Lot number. (Yes/No response.)
• May or may not be required to identify
  themselves. (Pros Cons).
• Useful even if only a small fraction of
  customers participate.

38
Counterfeits are spotted by

• Invalid Bottle IDs that are called-in will be
  immediately recognized as counterfeits.
• Wholesalers, re-packagers, and other handlers of
  large quantities can spot counterfeits even
  without calling-in by finding duplicate Bottle
  IDs in their own stock.
• Any duplicate valid Bottle IDs that are called-in
  will be flagged as counterfeits with fairly high
  reliability.

39
Counterfeiters

• The bad guys are hampered by
• these problems
• Guessing valid ID numbers isnt practical.
• Getting large numbers of valid IDs is
  challenging.
• Making counterfeit products with duplicate IDs
  may lead to detection via the call-in process.

40
Notes

• Putting the Bottle ID inside the tamper-evident
  packaging will make it more difficult for
  counterfeiters to covertly obtaining valid
  IDs.
• Bar code (or RFID) the Lot Bottle ID numbers
  so wholesalers, re-packagers, and high-volume
  customers can automate the process.
• Provide free readers automated call-in
  software to major customers.
• Resale of drugs can be handled multiple ways,
  including raising the minimum threshold for
  declaring counterfeiting when duplicate Bottle
  IDs are called in.

41
Repackagers Pharmacies

• If consolidating
• Re-use some of the original Bottle IDs
  destroy the rest (perhaps reporting this
  to the manufacturer).
• If subdividing, do one of the following

• Notify manufacturer so corrections can be
  applied to the database.
• Obtain new Bottle IDs from manufacturer.
• If trusted, generate own new Bottle IDs
  report them to database.
• Easiest manufacturer packs multiple (unique)
  IDs inside the original tamper-evident
  packaging, about one per new bottle to be
  created.

42
CNT Impact

• Invisible to customers who dont care.
• May want to limit CNT to one level
  wholesalers, pharmacies, or consumers (or run
  independent CNT systems for each level).
• Roll out the CNT technique only temporarily
  when there is a public counterfeit scare?

43
CNT Impact (cont)

• Information provided by callers can help
  pharmaceutical companies understand the
  market demonstrate a proactive approach
  to counterfeiting.
• Might help trace counterfeiters, especially if
  callers identify themselves.
• Getting consumers to take responsibility for
  checking authenticity of their own medicines
  may have multiple benefits.

44
Costs Low to Moderate

• Real-time printing of bottles or labels
  inexpensive
• Maintain database inexpensive (single PC)
• Software web site for callers inexpensive
  (just a big LUT)
• Automated, voice recognition phone line
  moderate
• Publicity education to encourage
  participation effective usage moderate
• Run as a third party service?

45
LANL Time Trap

• A more sophisticated approach Let the Bottle
  ID (keyed hash) vary in time.
• Tag has a microprocessor with 5-year battery
  and internal tamper detection.
• Some tamper detection capabilities
• Cost few in quantity
• Volume lt 1 cc
• Reusable

46
Warning 7 You need to conduct Adversarial
Vulnerability Assessments (thinking like the bad
guys). Traditional tools for improving
security are not enough.
He that wrestles with us strengthens our skill.
Our antagonist is our helper. -- Edmund
Burke (1729-1797)
It is sometimes expedient to forget who we are.
-- Publilius Syrus (42 BC)
47
Major Tools for Improving Security

• 1. Security Survey
• 2. Risk Management
• (Design Basis Threat)
• 3. Adversarial Vulnerability Assessment

48
Real vulnerability assessments

• Find vulnerabilities--because they always
  exist.
• Treat finding vulnerabilities as good news, not
  bad news-- because finding them means you can do
  something about them.
• Are meant to improve security--not to certify
  it, or make us feel confident.
• View security from the perspective of the
• bad guys--not the good guys.

49
The LANL Vulnerability Assessment Team
We have a CD containing related papers
reports. Available today or request a copy at
rogerj_at_lanl.gov
Ring the bells that still can ring. Forget your
perfect offering. There is a crack in
everything. That's how the light gets in.
-- Anonymous
Roger Johnston, Ph.D., CPP, Ron Martinez, Leon
Lopez, Sonia Trujillo, Adam Pacheco,
Anthony Garcia, Jon Warner, Ph.D., Alicia
Herrera, Eddie Bitzer, M.A.
http//pearl1.lanl.gov/seals/default.htm
50
The End
He that will not apply new remedies must expect
new evils for time is the greatest innovator.
-- Francis Bacon (1561-1626)