Presentation on theme: "Improving Tamper & Counterfeit Detection Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Los Alamos National Laboratory 505-667-7414"— Presentation transcript:
Improving Tamper & Counterfeit Detection Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Los Alamos National Laboratory LAUR
Physical Security consulting cargo security tamper detection nuclear safeguards training & curricula vulnerability assessments novel security approaches new tags & seals (patents) unique vuln. assessment lab The VAT has done detailed vulnerability assessments on hundreds of different security devices, systems, & programs. LANL Vulnerability Assessment Team The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle ( )
intrusion detection: immediate (real- time) detection of unauthorized access. tamper detection: delayed (after the fact) detection of unauthorized access. Terminology
Terminology (con’t) lock: a device to delay, complicate, and/or discourage unauthorized entry. seal: a tamper-indicating device (TID) designed to leave non-erasable, unambig- uous evidence of unauthorized entry or tampering. Unlike locks, seals are not necessarily meant to resist access, just record that it took place.
tag: an applied or intrinsic feature that uniquely identifies an object or container. types of tags inventory tag (no malicious adversary) security tag (counterfeiting & lifting are issues) buddy tag or token (only counterfeiting is an issue) anti-counterfeiting (AC) tag (only counterfeiting is an issue) lifting: removing a tag from one object or container and placing it on another, without being detected. Terminology (con’t)
Applications customs cargo security non-proliferation treaty verification counter-terrorism counter-espionage banking & couriers drug accountability records & ballot integrity evidence chain of custody weapons & ammo security tamper-evident packaging anti-product counterfeiting protecting instrument calibration protecting medical sterilization waste management & hazardous materials accountability Some of the commercial seals Tags: Uniquely identify an object Tags & Seals Seals: Detect tampering or unauthorized access
Warning 1: Existing Tamper-Evident Packaging isn’t very effective, yet product tampering (by insiders or outsiders) is inevitable.* On a bag of Fritos: You could be a winner! No purchase necessary. Details inside.
Product Tampering Tamper-Evident Packaging Model of how to effectively deal with product tampering: J&J
Problems with Consumer Tamper-Evident Packaging Mostly about Displacement, Due Diligence, Compliance, & Reducing Jury Awards--not effective Tamper Detection No meaningful FDA Standards, Guideline, or Definitions Consumers lack sufficient information to use properly Euphemisms (e.g., “freshness seal”) & manufacturer obscurations Relatively unimaginative, cost-driven designs Few useful vulnerability assessments Not proactive to the threat
Warning 2: Existing tamper-indicating seals (at least the way they are typically used) aren’t very effective for cargo security. In theory there is no difference between theory and practice. In practice there is. -- Yogi Berra
defeating a seal: opening a seal, then resealing (using the original seal or a counterfeit) without being detected. attacking a seal: undertaking a sequence of actions designed to defeat it. Defeating seals is mostly about fooling people, not beating hardware (unlike defeating locks, safes, or vaults)! Terminology (con’t)
(Yanking a seal off a container is not defeating it, because it will be noted at the time of inspection that the seal is damaged or missing.)
Seals Vulnerability Assessment We studied 213 different seals in detail: government & commercial mechanical & electronic low-tech through high-tech cost varies by a factor of 10,000 Over half are in use for critical applications, and 16% play a role in nuclear safeguards.
Percent of seals that can be defeated in less than a given amount of time by 1 person using only low-tech methods 213 seals
Defeat Time vs. Seal Cost linear LS fit r = 0.14 slope: 1.6 sec/$ 307 attacks
Results for 213 Seals defeat time for 1 person 2.7 mins1 min cost of tools & supplies $144$5 margin cost of attack 42¢9¢ time to devise successful attack 5 hrs12 mins parameter mean median
The Good News: Countermeasures Most of the attacks have simple and inexpensive countermeasures, but the seal installers & inspectors must understand the seal vulnerabilities, look for likely attacks, and have hands-on training. Also: better seals are possible!
20+ New “Anti-Evidence” Seals better security no hasp required no tools to install or remove seal no hardware outside the container 100% reusable, even if mechanical can monitor volumes or areas, not just portals can automatically verify the seal inspector actually checked the seal MagTag, Tie-Dye Seal, Magic Slate Seal, Glass & Powder Seal, Triboluminescence Seal, Plug Seal, Talking Truck Cargo Seal, Blinking Lights Seal, Time Trap…
Warning 3: Counterfeiting tags & seals is easier than one might imagine. Sincerity is everything. If you can fake that, you've got it made. -- Comedian George Burns ( )
Counterfeiting Tags & Seals Often overlooked: Counterfeiters usually only need to counterfeit the superficial appearance & apparent performance, not the actual tag/seal or its real performance. It's better to be looked over than overlooked. -- Mae West, Belle of the Nineties, 1934
Warning 4: Too often, high-technology is wrongly thought to guarantee high-security. If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. -- Bruce Schneier The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious. -- Dr. Who in The Pirate Planet (1978)
Why High-Tech Devices Are Usually Vulnerable To Simple Attacks l Still must be physically coupled to the real world l Still depend on the loyalty & effectiveness of user’s personnel l The increased standoff distance decreases the user’s attention to detail l Many more legs to attack
Why High-Tech Devices Are Usually Vulnerable To Simple Attacks (con’t) l The high-tech features often fail to address the critical vulnerability issues l Users don’t understand the device l Developers & users have the wrong expertise and focus on the wrong issues l The “Titanic Effect”: high-tech arrogance
Warning 5: Too often, inventory is confused with security. Not everything that can be counted counts, and not everything that counts can be counted. -- attributed to Albert Einstein ( )
Inventory Counting and locating our stuff. No nefarious adversary. Will detect innocent errors by insiders, but not surreptitious attacks by insiders or outsiders.
Meant to counter nefarious adversaries, typically both insiders & outsiders. Watch out for mission creep: inventory systems that come to be viewed as security systems! Security
bar codes rf transponders (RFIDs) contact memory buttons High-Tech Tags: Classic examples of confusing Inventory & Security, High-Tech & High-Security Usually easy to: * lift * counterfeit * spoof the reader These are excellent for inventory, but problematic for security!
GPS: Another classic example of confusing Inventory & Security, High-Tech & High-Security The private sector, foreigners, and 90+% of the federal government must use the civilian GPS satellite signals. These are unencrypted and unauthenticated. They were never meant for critical or security applications, yet GPS is being used that way (e.g., cargo security).
Attacking Civilian GPS Receivers Blocking: just break off the antenna, or shield it with metal; not surreptitious. Jamming: easy to build a noisy rf transmitter from plans on the Internet; not surreptitious. Spoofing:surreptitious & (as we’ve demonstrated) surprisingly easy for even unsophisticated adversaries. There are, however, simple countermeasures. Physical attacks: appear to be easy, too.
GPS Cargo Tracking GPS Satellite Tracking Information Sent to HQ (perhaps encrypted/authenticated) GPS Signal (vulnerable here) GPS is great for navigation, but it does not provide high security.
Time Vulnerabilities Many national networks (computer, utility, financial, & telecommunications) are somewhat prepared for loss of time synchronization due to GPS jamming. But they are not prepared for spoofing, which is easy and could crash them. The alternate time standard (NIST atomic clock) is also not authenticated or encrypted.
Warning 6: Practical & effective AC Tags don’t currently exist. The Holy Grail: a practical, inexpensive AC Tag that is easy to verify, but difficult & expensive to counterfeit. Is this even possible? The handwriting on the wall may be a forgery. -- Ralph Hodgson ( )
CNT Technique: In the absence of effective AC Tags, this is one method to impede & detect product counterfeiting. If we don't succeed, we run the risk of failure. -- Dan Quayle Honesty may be the best policy, but it's important to remember that apparently, by elimination, dishonesty is the second-best policy. -- George Carlin
Lot: 4ZB1026 Exp: 04/06 Bottle ID: MPD709 unique random, non-sequential at least 1000 times more possible ‘Bottle’ ID numbers per Lot than actual bottles “Call-In the Numeric Token” (CNT) Technique (“Bottle” can really mean bottle, tube, box, container, pallet, truck-load, etc.) Bottle ID
CNT Technique (con’t) Print “Bottle” ID on bottles, or other packaging at the factory, or attach printed adhesive labels later. Keep secure computer list (database) of valid Bottle IDs for each Lot. ~ 3 MB required per million containers.
CNT Technique (con’t) “Calling in”: Customers log into a web site, or call an automated phone line to quickly check if their Bottle ID is valid for the given Lot number. (Yes/No response.) May or may not be required to identify themselves. (Pros & Cons). Useful even if only a small fraction of customers participate.
1.Invalid Bottle IDs that are called-in will be immediately recognized as counterfeits. 2.Wholesalers, re-packagers, and other handlers of large quantities can spot counterfeits even without calling-in by finding duplicate Bottle IDs in their own stock. 3.Any duplicate valid Bottle IDs that are called-in will be flagged as counterfeits with fairly high reliability. Counterfeits are spotted by…
Counterfeiters The bad guys are hampered by these problems: Guessing valid ID numbers isn’t practical. Getting large numbers of valid IDs is challenging. Making counterfeit products with duplicate IDs may lead to detection via the call-in process.
Notes Putting the Bottle ID inside the tamper-evident packaging will make it more difficult for counterfeiters to covertly obtaining valid IDs. Bar code (or RFID) the Lot & Bottle ID numbers so wholesalers, re-packagers, and high-volume customers can automate the process. Provide free readers & automated call-in software to major customers. Resale of drugs can be handled multiple ways, including raising the minimum threshold for declaring counterfeiting when duplicate Bottle IDs are called in.
Repackagers & Pharmacies If consolidating: Re-use some of the original Bottle IDs & destroy the rest (perhaps reporting this to the manufacturer). If subdividing, do one of the following: Notify manufacturer so corrections can be applied to the database. Obtain new Bottle IDs from manufacturer. If trusted, generate own new Bottle IDs & report them to database. Easiest: manufacturer packs multiple (unique) IDs inside the original tamper-evident packaging, about one per new “bottle” to be created.
Invisible to customers who don’t care. May want to limit CNT to one level: wholesalers, pharmacies, or consumers (or run independent CNT systems for each level). Roll out the CNT technique only temporarily when there is a public counterfeit scare? CNT Impact
Information provided by callers can help pharmaceutical companies understand the market & demonstrate a proactive approach to counterfeiting. Might help trace counterfeiters, especially if callers identify themselves. Getting consumers to take responsibility for checking authenticity of their own medicines may have multiple benefits. CNT Impact (con’t)
Costs: Low to Moderate Real-time printing of bottles or labels: inexpensive Maintain ‘database’: inexpensive (single PC) Software web site for callers: inexpensive (just a big LUT) Automated, voice recognition phone line: moderate Publicity & education to encourage participation & effective usage: moderate Run as a third party service?
LANL Time Trap A more sophisticated approach: Let the Bottle ID (keyed “hash”) vary in time. Tag has a microprocessor with 5-year battery and internal tamper detection. Some tamper detection capabilities Cost: few $ in quantity Volume: < 1 cc Reusable
Warning 7: You need to conduct Adversarial Vulnerability Assessments (thinking like the bad guys). Traditional tools for improving security are not enough. He that wrestles with us strengthens our skill. Our antagonist is our helper. -- Edmund Burke ( ) It is sometimes expedient to forget who we are. -- Publilius Syrus (~42 BC)
Major Tools for Improving Security 1. Security Survey 2. Risk Management (“Design Basis Threat”) 3. Adversarial Vulnerability Assessment
Real vulnerability assessments… Find vulnerabilities--because they always exist. Treat finding vulnerabilities as good news, not bad news-- because finding them means you can do something about them. Are meant to improve security--not to “certify” it, or make us feel confident. View security from the perspective of the bad guys--not the good guys.
We have a CD containing related papers & reports. Available today or request a copy at The LANL Vulnerability Assessment Team Roger Johnston, Ph.D., CPP, Ron Martinez, Leon Lopez, Sonia Trujillo, Adam Pacheco, Anthony Garcia, Jon Warner, Ph.D., Alicia Herrera, Eddie Bitzer, M.A. Ring the bells that still can ring. Forget your perfect offering. There is a crack in everything. That's how the light gets in. -- Anonymous
He that will not apply new remedies must expect new evils; for time is the greatest innovator. -- Francis Bacon ( )